Volume  55  of  111 

(Accused  Copy) 


_ VERBATIM _ 1 

RECORD  OF  TRIAL2 

(and  accompanying  papers) 

of 


MANNING,  Bradley  E. 

PFC/E-3 

(Name:  Last,  First,  Middle  Initial) 

(Social  Security  Number) 

(Rank) 

Headquarters  and 
Headquarters  Company, 


United  States  Army  Garrison 

U .  S .  Army 

Fort  Myer,  VA  22211 

(Unit/Command  Name) 

(Branch  of  Service) 

(Station  or  Ship) 

By 


GENERAL  COURT-MARTIAL 


Convened  by  _ Commander _ 

( Title  of  Convening  Authority) 

UNITED  STATES  ARMY  MILITARY  DISTRICT  OF  WASHINGTON 
(Unit/Command  of  Convening  Authority) 

T ried  at 


Fort  Meade,  MD _  on  _ _ see  below 

(Place  or  Places  of  Trial)  (Date  or  Dates  of  Trial) 


Date  or  Dates  of  Trial : 

23  February  2012,  15-16  March  2012,  24-26  April  2012,  6-8  June  2012,  25  June  2012, 

16-19  July  2012,  28-30  August  2012,  2  October  2012,  12  October  2012,  17-18  October  2012, 

7- 8  November  2012,  27  November  -  2  December  2012,  5-7  December  2012,  10-11  December  2012, 

8- 9  January  2013,  16  January  2013,  26  February  -  1  March  2013,  8  March  2013, 

10  April  2013,  7-8  May  2013,  21  May  2013,  3-5  June  2013,  10-12  June  2013,  17-18  June  2013, 
25-28  June  2013,  1-2  July  2013,  8-10  July  2013,  15  July  2013,  18-19  July  2013, 

25-26  July  2013,  28  July  -  2  August  2013,  5-9  August  2013,  12-14  August  2013, 

16  August  2013,  and  19-21  August  2013. 


1  Insert  "verbatim"  or  "summarized"  as  appropriate.  (This  form  will  be  used  by  the  Army  and  Navy  for  verbatim  records  of  trial  only.) 

2  See  inside  back  cover  for  instructions  as  to  preparation  and  arrangement. 
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Record  Key  IP  Address  Visit  Date 


735080 

199.123.68.193 

3/18/08  1:45  PM 

735091 

148.124.208.90 

3/18/08  1:55  PM 

735102 

199.56.106.4 

3/18/08  2:11  PM 

735105 

157.218.188.112 

3/18/08  2:13  PM 

735106 

143.175.111.53 

3/18/08  2:13  PM 

735112 

207.85.78.81 

3/18/08  2:21PM 

735146 

132.143.125.137 

3/18/08  2:40  PM 

735204 

22.5.19.217 

3/18/08  3:21  PM 

735232 

22.15.142.231 

3/18/08  3:44  PM 

735234 

22.45.42.131 

3/18/08  3:44  PM 

735259 

22.21.14.136 

3/18/08  4:23  PM 

735294 

148.124.45.102 

3/18/08  5:32  PM 

735301 

148.124.46.99 

3/18/08  5:52  PM 

735308 

22.21.160.66 

3/18/08  6:27  PM 

735324 

128.80.137.173 

3/18/08  8:41  PM 

735325 

205.53.135.82 

3/18/08  9:12  PM 

735336 

22.25.254.34 

3/19/08  1:09  AM 

735351 

205.0.164.10 

3/19/08  2:28  AM 

735366 

141.220.71.26 

3/19/08  2:56  AM 

735379 

205.117.226.157 

3/19/08  4:01  AM 

735395 

147.254.239.187 

3/19/08  5:39  AM 

735410 

21.245.1.4 

3/19/08  6:14  AM 

735416 

207.85.220.43 

3/19/08  6:17  AM 

735426 

207.85.5.238 

3/19/08  6:27  AM 

735441 

204.21.117.77 

3/19/08  6:31AM 

735445 

204.20.252.211 

3/19/08  6:33  AM 

735473 

199.56.45.110 

3/19/08  6:58  AM 

735488 

199.122.142.38 

3/19/08  7:06  AM 

735494 

148.124.4.196 

3/19/08  7:13  AM 

735504 

138.165.27.1 

3/19/08  7:23  AM 

735514 

148.124.10.45 

3/19/08  7:26  AM 

735515 

157.202.35.43 

3/19/08  7:27  AM 

735523 

148.124.241.134 

3/19/08  7:32  AM 

735542 

148.124.19.55 

3/19/08  7:46  AM 

Record  Key  IP  Address  Visit  Date 


737326 

147.254.184.43 

3/21/08  8:09  AM 

2128888 

147.254.200.76 

7/25/08  8:27  AM 

2129042 

147.254.200.76 

7/25/08  9:41  AM 

3857809 

147.254.238.23 

3/15/10  12:49  PM 

735395 

147.254.239.187 

3/19/08  5:39  AM 

775303 

147.254.247.195 

4/30/08  3:14  PM 

734905 

147.254.27.40 

3/18/08  12:19  PM 

735514 

148.124.10.45 

3/19/08  7:26  AM 

3858019 

148.124.148.14 

3/16/10  7:29  AM 

2939008 

148.124.148.22 

5/8/09  7:21  AM 

736110 

148.124.154.149 

3/19/08  1:33  PM 

737125 

148.124.160.219 

3/20/08  6:23  PM 

2327739 

148.124.161.24 

9/5/08  5:57  PM 

2682607 

148.124.162.46 

2/10/09  4:05  PM 

2796287 

148.124.165.233 

3/16/09  10:12  AM 

736016 

148.124.167.89 

3/19/08  12:27  PM 

744009 

148.124.168.23 

3/28/08  2:24  PM 

736876 

148.124.170.26 

3/20/08  12:56  PM 

736970 

148.124.170.26 

3/20/08  1:36  PM 

769300 

148.124.170.26 

4/22/08  1:32  PM 

738713 

148.124.173.26 

3/24/08  12:30  PM 

735043 

148.124.186.40 

3/18/08  1:30  PM 

750457 

148.124.186.48 

4/3/08  9:35  AM 

735889 

148.124.19.107 

3/19/08  10:16  AM 

759963 

148.124.19.133 

4/10/08  11:43  AM 

2819909 

148.124.19.164 

3/26/09  4:12  PM 

734903 

148.124.19.196 

3/18/08  12:18  PM 

735542 

148.124.19.55 

3/19/08  7:46  AM 

738567 

148.124.19.55 

3/24/08  9:49  AM 

759943 

148.124.192.105 

4/10/08  11:26  AM 

737361 

148.124.192.181 

3/21/08  8:29  AM 

735015 

148.124.193.41 

3/18/08  1:18  PM 

735016 

148.124.193.41 

3/18/08  1:18  PM 

735020 

148.124.193.41 

3/18/08  1:19  PM 
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IP  Address 
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Record  Key 


735566 

22.21.9.148 

3/19/08  8:02  AM 

735572 

204.20.41.34 

3/19/08  8:04  AM 

735783 

22.2.53.71 

3/19/08  9:05  AM 

735795 

22.212.21.69 

3/19/08  9:16  AM 

735805 

143.57.168.31 

3/19/08  9:24  AM 

735808 

207.85.5.238 

3/19/08  9:25  AM 

735814 

157.202.35.130 

3/19/08  9:29  AM 

735815 

199.31.35.51 

3/19/08  9:30  AM 

735819 

157.202.27.43 

3/19/08  9:33  AM 

735822 

157.202.35.20 

3/19/08  9:36  AM 

735824 

157.202.27.43 

3/19/08  9:37  AM 

735851 

22.2.218.24 

3/19/08  9:48  AM 

735865 

207.85.5.238 

3/19/08  9:56  AM 

735870 

22.21.204.243 

3/19/08  9:59  AM 

735885 

157.202.34.16 

3/19/08  10:08  AM 

735889 

148.124.19.107 

3/19/08  10:16  AM 

735907 

207.85.78.75 

3/19/08  10:29  AM 

735909 

207.85.78.75 

3/19/08  10:33  AM 

735921 

22.28.162.87 

3/19/08  10:46  AM 

735944 

205.53.228.34 

3/19/08  11:09  AM 

735960 

148.124.82.172 

3/19/08  11:24  AM 

735983 

204.36.190.56 

3/19/08  11:52  AM 

736016 

148.124.167.89 

3/19/08  12:27  PM 

736018 

22.20.98.184 

3/19/08  12:28  PM 

736026 

22.5.18.169 

3/19/08  12:30  PM 

736052 

157.222.42.114 

3/19/08  12:54  PM 

736064 

22.2.53.211 

3/19/08  1:03  PM 

736074 

204.36.191.97 

3/19/08  1:19  PM 

736078 

22.2.53.101 

3/19/08  1:22  PM 

736079 

130.90.23.204 

3/19/08  1:22  PM 

736110 

148.124.154.149 

3/19/08  1:33  PM 

736123 

137.13.1.126 

3/19/08  1:38  PM 

736126 

207.85.131.37 

3/19/08  1:42  PM 

736159 

207.85.78.81 

3/19/08  2:15  PM 

735021 

148.124.193.41 

3/18/08  1:19  PM 

735091 

148.124.208.90 

3/18/08  1:55  PM 

747306 

148.124.208.91 

4/1/08  4:05  PM 

762112 

148.124.208.91 

4/14/08  3:19  PM 

2059548 

148.124.208.91 

7/7/08  3:34  PM 

3063418 

148.124.225.146 

5/26/09  12:30  PM 

3482172 

148.124.229.176 

10/30/09  3:45  PM 

734673 

148.124.231.32 

3/18/08  9:43  AM 

734804 

148.124.231.32 

3/18/08  10:41  AM 

735523 

148.124.241.134 

3/19/08  7:32  AM 

738529 

148.124.241.213 

3/24/08  9:17  AM 

745994 

148.124.241.85 

3/31/08  11:33  AM 

737083 

148.124.246.15 

3/20/08  3:42  PM 

2667897 

148.124.246.16 

2/4/09  3:05  PM 

735494 

148.124.4.196 

3/19/08  7:13  AM 

736632 

148.124.4.196 

3/20/08  9:33  AM 

735009 

148.124.4.42 

3/18/08  1:14  PM 

1973297 

148.124.41.66 

7/3/08  10:34  AM 

1973399 

148.124.41.66 

7/3/08  10:40  AM 

737895 

148.124.44.17 

3/22/08  2:13  AM 

739064 

148.124.44.17 

3/24/08  6:08  PM 

744130 

148.124.44.17 

3/28/08  6:45  PM 

747512 

148.124.44.17 

4/2/08  2:17  AM 

735294 

148.124.45.102 

3/18/08  5:32  PM 

735301 

148.124.46.99 

3/18/08  5:52  PM 

743637 

148.124.55.199 

3/28/08  8:43  AM 

736478 

148.124.8.37 

3/20/08  7:41  AM 

735960 

148.124.82.172 

3/19/08  11:24  AM 

735001 

148.124.95.30 

3/18/08  1:11  PM 

2853601 

153.22.111.60 

4/11/09  11:55  PM 

746825 

157.202.129.191 

4/1/08  10:05  AM 

735819 

157.202.27.43 

3/19/08  9:33  AM 

735824 

157.202.27.43 

3/19/08  9:37  AM 

735885 

157.202.34.16 

3/19/08  10:08  AM 
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736160 

22.2.53.242 

3/19/08  2:16  PM 

736175 

207.84.89.43 

3/19/08  2:35  PM 

736181 

22.2.53.74 

3/19/08  2:42  PM 

736187 

157.202.35.41 

3/19/08  2:50  PM 

736191 

21.245.1.4 

3/19/08  2:56  PM 

736195 

198.11.98.149 

3/19/08  2:58  PM 

736196 

22.2.53.96 

3/19/08  3:03  PM 

736209 

22.21.189.27 

3/19/08  3:21  PM 

736220 

199.56.149.128 

3/19/08  3:28  PM 

736235 

22.23.20.34 

3/19/08  3:50  PM 

736257 

157.202.35.41 

3/19/08  4:28  PM 

736277 

22.21.160.66 

3/19/08  5:16  PM 

736283 

22.21.160.19 

3/19/08  5:36  PM 

736287 

207.84.207.136 

3/19/08  5:52  PM 

736295 

205.14.236.154 

3/19/08  6:42  PM 

736296 

205.14.236.154 

3/19/08  6:42  PM 

736300 

199.56.34.114 

3/19/08  7:31  PM 

736364 

141.220.71.26 

3/20/08  5:04  AM 

736367 

205.53.225.34 

3/20/08  5:07  AM 

736430 

22.21.9.62 

3/20/08  7:20  AM 

736456 

22.21.14.181 

3/20/08  7:32  AM 

736478 

148.124.8.37 

3/20/08  7:41  AM 

736531 

22.2.183.1 

3/20/08  8:13  AM 

736568 

22.15.8.151 

3/20/08  8:42  AM 

736632 

148.124.4.196 

3/20/08  9:33  AM 

736641 

22.21.14.189 

3/20/08  9:39  AM 

736667 

22.21.192.159 

3/20/08  10:08  AM 

736671 

22.21.9.62 

3/20/08  10:09  AM 

736713 

164.222.90.99 

3/20/08  10:48  AM 

736747 

22.21.102.140 

3/20/08  11:24  AM 

736761 

22.21.102.140 

3/20/08  11:35  AM 

736762 

207.85.5.238 

3/20/08  11:35  AM 

736763 

22.2.13.31 

3/20/08  11:35  AM 

736768 

22.21.160.66 

3/20/08  11:39  AM 

735814 

157.202.35.130 

3/19/08  9:29  AM 

735822 

157.202.35.20 

3/19/08  9:36  AM 

736187 

157.202.35.41 

3/19/08  2:50  PM 

736257 

157.202.35.41 

3/19/08  4:28  PM 

735515 

157.202.35.43 

3/19/08  7:27  AM 

734861 

157.202.36.134 

3/18/08  11:31  AM 

2564189 

157.213.35.245 

12/23/08  3:25  AM 

1022609 

157.214.240.22 

6/2/08  5:36  AM 

734857 

157.214.254.158 

3/18/08  11:30  AM 

757943 

157.214.40.248 

4/8/08  3:40  PM 

1046964 

157.216.32.158 

6/3/08  11:51  AM 

735105 

157.218.188.112 

3/18/08  2:13  PM 

1006782 

157.218.37.179 

5/31/08  5:35  PM 

740577 

157.219.128.122 

3/25/08  6:31  AM 

738412 

157.220.161.44 

3/24/08  7:54  AM 

736052 

157.222.42.114 

3/19/08  12:54  PM 

1344756 

157.222.42.114 

6/12/08  11:12  AM 

734882 

157.224.197.144 

3/18/08  11:53  AM 

2809412 

158.242.11.93 

3/23/09  1:56  AM 

734692 

164.222.90.99 

3/18/08  9:58  AM 

734709 

164.222.90.99 

3/18/08  10:05  AM 

736713 

164.222.90.99 

3/20/08  10:48  AM 

750381 

192.234.101.214 

4/3/08  8:57  AM 

3857945 

192.234.101.214 

3/15/10  3:11  PM 

736195 

198.11.98.149 

3/19/08  2:58  PM 

742306 

198.11.99.195 

3/26/08  1:51  PM 

2321822 

198.201.144.114 

9/3/08  9:18  AM 

2321824 

198.201.144.114 

9/3/08  9:20  AM 

996227 

198.22.27.239 

5/31/08  4:51  AM 

996977 

198.22.27.239 

5/31/08  5:43  AM 

735488 

199.122.142.38 

3/19/08  7:06  AM 

854281 

199.122.157.10 

5/23/08  8:58  PM 

763838 

199.122.162.52 

4/15/08  4:33  PM 

734639 

199.123.68.193 

3/18/08  9:25  AM 
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736792 

137.13.24.220 

3/20/08 12:01  PM 

736821 

199.56.25.1 

3/20/0812:12  PM 

736848 

204.21.217.142 

3/20/08  12:35  PM 

736876 

148.124.170.26 

3/20/08  12:56  PM 

736967 

199.123.68.193 

3/20/08  1:35  PM 

736970 

148.124.170.26 

3/20/08  1:36  PM 

737021 

22.2.168.15 

3/20/08  2:32  PM 

737060 

147.254.171.184 

3/20/08  3:09  PM 

737083 

148.124.246.15 

3/20/08  3:42  PM 

737099 

22.4.28.226 

3/20/08  4:35  PM 

737125 

148.124.160.219 

3/20/08  6:23  PM 

737131 

128.80.137.83 

3/20/08  7:09  PM 

737180 

22.28.12.140 

3/21/08  4:24  AM 

737225 

131.240.17.34 

3/21/08  6:09  AM 

737230 

204.36.190.174 

3/21/08  6:37  AM 

737239 

22.45.248.13 

3/21/08  6:47  AM 

737282 

22.21.13.31 

3/21/08  7:37  AM 

737326 

147.254.184.43 

3/21/08  8:09  AM 

737361 

148.124.192.181 

3/21/08  8:29  AM 

737412 

143.57.168.34 

3/21/08  9:17  AM 

737442 

131.240.17.34 

3/21/08  9:36  AM 

737468 

22.21.14.144 

3/21/08  10:02  AM 

737483 

205.1.225.6 

3/21/08  10:06  AM 

737531 

204.36.180.68 

3/21/08  11:24  AM 

737561 

22.21.31.101 

3/21/08  12:22  PM 

737570 

207.85.211.41 

3/21/08  12:34  PM 

737588 

22.8.36.3 

3/21/081:00  PM 

737651 

132.143.9.35 

3/21/08  2:03  PM 

737739 

207.85.5.238 

3/21/08  3:16  PM 

737803 

132.143.125.21 

3/21/08  4:22  PM 

737839 

128.80.153.111 

3/21/08  8:07  PM 

737895 

148.124.44.17 

3/22/08  2:13  AM 

738228 

22.8.245.12 

3/23/08  4:04  PM 

738229 

22.8.245.24 

3/23/08  4:17  PM 

734696 

199.123.68.193 

3/18/08  10:03  AM 

735080 

199.123.68.193 

3/18/08  1:45  PM 

736967 

199.123.68.193 

3/20/08  1:35  PM 

748486 

199.123.68.193 

4/2/08  11:08  AM 

734921 

199.123.69.181 

3/18/08  12:29  PM 

743675 

199.124.32.228 

3/28/08  9:19  AM 

735013 

199.31.33.154 

3/18/08  1:18  PM 

761942 

199.31.33.211 

4/14/08  1:38  PM 

1789577 

199.31.34.58 

6/24/08  11:27  AM 

735815 

199.31.35.51 

3/19/08  9:30  AM 

2362192 

199.31.48.33 

9/19/08  3:39  AM 

762338 

199.31.48.6 

4/15/08  4:52  AM 

741741 

199.56.106.242 

3/26/08  8:17  AM 

735102 

199.56.106.4 

3/18/08  2:11  PM 

3858425 

199.56.106.4 

3/16/10  11:42  AM 

736220 

199.56.149.128 

3/19/08  3:28  PM 

1199848 

199.56.18.124 

6/8/08  6:50  PM 

1199915 

199.56.18.124 

6/8/08  6:53  PM 

1032337 

199.56.249.73 

6/2/08  5:20  PM 

736821 

199.56.25.1 

3/20/08  12:12  PM 

736300 

199.56.34.114 

3/19/08  7:31  PM 

735473 

199.56.45.110 

3/19/08  6:58  AM 

1559241 

204.20.132.59 

6/18/08  10:49  AM 

751084 

204.20.134.135 

4/3/08  9:34  PM 

734849 

204.20.143.46 

3/18/08  11:28  AM 

734842 

204.20.165.38 

3/18/08  11:12  AM 

738938 

204.20.176.117 

3/24/08  2:48  PM 

1510161 

204.20.176.88 

6/16/08  12:55  PM 

738881 

204.20.176.90 

3/24/08  2:13  PM 

1305973 

204.20.176.90 

6/11/08  12:55  PM 

1315494 

204.20.176.90 

6/11/08  6:29  PM 

1357987 

204.20.176.90 

6/12/08  6:21  PM 

1536683 

204.20.176.90 

6/17/08  10:39  AM 

758939 

204.20.21.146 

4/9/08  1:24  PM 
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738271 

128.80.240.63 

3/24/08  2:46  AM 

738307 

22.8.112.219 

3/24/08  5:36  AM 

738336 

143.57.168.35 

3/24/08  6:25  AM 

738350 

22.20.98.200 

3/24/08  6:49  AM 

738356 

204.36.190.56 

3/24/08  6:57  AM 

738377 

22.214.7.240 

3/24/08  7:23  AM 

738403 

22.21.14.156 

3/24/08  7:46  AM 

738412 

157.220.161.44 

3/24/08  7:54  AM 

738517 

22.21.160.19 

3/24/08  9:08  AM 

738526 

22.8.245.24 

3/24/08  9:14  AM 

738529 

148.124.241.213 

3/24/08  9:17  AM 

738555 

22.21.192.159 

3/24/08  9:43  AM 

738564 

22.212.21.69 

3/24/08  9:48  AM 

738567 

148.124.19.55 

3/24/08  9:49  AM 

738569 

207.85.134.203 

3/24/08  9:49  AM 

738615 

204.36.191.109 

3/24/08  10:32  AM 

738619 

22.21.15.109 

3/24/08  10:42  AM 

738624 

204.36.190.29 

3/24/08  10:55  AM 

738629 

204.36.190.56 

3/24/08  10:59  AM 

738635 

207.84.99.137 

3/24/08  11:02  AM 

738657 

22.21.14.148 

3/24/08  11:23  AM 

738681 

22.8.101.87 

3/24/08  11:54  AM 

738695 

22.21.15.14 

3/24/08  12:04  PM 

738713 

148.124.173.26 

3/24/08  12:30  PM 

738730 

204.36.191.128 

3/24/08  12:42  PM 

738802 

204.36.191.81 

3/24/08  1:14  PM 

738814 

207.85.134.181 

3/24/081:23  PM 

738840 

205.19.17.133 

3/24/08  1:48  PM 

738854 

207.85.5.238 

3/24/08  1:55  PM 

738881 

204.20.176.90 

3/24/08  2:13  PM 

738938 

204.20.176.117 

3/24/08  2:48  PM 

738971 

22.2.53.131 

3/24/08  3:16  PM 

739064 

148.124.44.17 

3/24/08  6:08  PM 

740577 

157.219.128.122 

3/25/08  6:31  AM 

735445 

204.20.252.211 

3/19/08  6:33  AM 

735572 

204.20.41.34 

3/19/08  8:04  AM 

741165 

204.20.5.132 

3/25/08  1:40  PM 

734868 

204.20.81.51 

3/18/08  11:39  AM 

735441 

204.21.117.77 

3/19/08  6:31  AM 

1089953 

204.21.149.229 

6/5/08  11:19  AM 

1230091 

204.21.149.229 

6/9/08  10:33  AM 

1065794 

204.21.149.232 

6/4/08  11:02  AM 

1066157 

204.21.149.232 

6/4/08  11:18  AM 

1102987 

204.21.162.231 

6/5/08  11:25  PM 

1531495 

204.21.184.51 

6/17/08  8:12  AM 

3331106 

204.21.20.6 

9/23/09  5:55  PM 

736848 

204.21.217.142 

3/20/08  12:35  PM 

734975 

204.21.231.171 

3/18/08  12:52  PM 

755311 

204.21.50.68 

4/7/08  3:41  AM 

3200924 

204.21.6.15 

6/24/09  1:12  PM 

2041593 

204.21.84.166 

7/6/08  6:34  PM 

737531 

204.36.180.68 

3/21/08  11:24  AM 

734785 

204.36.183.206 

3/18/08  10:32  AM 

737230 

204.36.190.174 

3/21/08  6:37  AM 

738624 

204.36.190.29 

3/24/08  10:55  AM 

735983 

204.36.190.56 

3/19/08  11:52  AM 

738356 

204.36.190.56 

3/24/08  6:57  AM 

738629 

204.36.190.56 

3/24/08  10:59  AM 

741987 

204.36.190.56 

3/26/08  10:16  AM 

743499 

204.36.190.56 

3/28/08  7:05  AM 

738615 

204.36.191.109 

3/24/08  10:32  AM 

738730 

204.36.191.128 

3/24/08  12:42  PM 

750391 

204.36.191.138 

4/3/08  9:06  AM 

738802 

204.36.191.81 

3/24/08  1:14  PM 

736074 

204.36.191.97 

3/19/08  1:19  PM 

740764 

204.36.195.228 

3/25/08  9:09  AM 

3311310 

205.0.132.115 

8/18/09  12:19  PM 

3311314 

205.0.132.115 

8/18/09  12:24  PM 
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740629 

22.23.113.49 

3/25/08  7:18  AM 

740649 

22.30.13.141 

3/25/08  7:37  AM 

740666 

22.30.13.141 

3/25/08  7:48  AM 

740764 

204.36.195.228 

3/25/08  9:09  AM 

740895 

207.84.49.157 

3/25/08  10:50  AM 

741041 

22.21.14.152 

3/25/08  12:21  PM 

741146 

22.21.53.99 

3/25/08  1:28  PM 

741165 

204.20.5.132 

3/25/08  1:40  PM 

741272 

22.21.14.139 

3/25/08  3:05  PM 

741448 

22.45.248.155 

3/25/08  6:05  PM 

741658 

22.8.33.114 

3/26/08  7:11  AM 

741683 

207.85.134.201 

3/26/08  7:31  AM 

741741 

199.56.106.242 

3/26/08  8:17  AM 

741867 

207.85.78.73 

3/26/08  9:27  AM 

741872 

21.245.1.4 

3/26/08  9:31  AM 

741914 

147.254.107.74 

3/26/08  9:47  AM 

741987 

204.36.190.56 

3/26/08  10:16  AM 

742034 

22.21.192.157 

3/26/08  10:59  AM 

742181 

22.2.54.49 

3/26/08  12:42  PM 

742306 

198.11.99.195 

3/26/08  1:51  PM 

742337 

22.21.206.174 

3/26/08  2:20  PM 

742346 

207.85.134.187 

3/26/08  2:30  PM 

742755 

143.57.168.31 

3/27/08  8:07  AM 

742780 

22.15.141.79 

3/27/08  8:28  AM 

742807 

22.15.141.79 

3/27/08  8:47  AM 

743033 

205.0.215.113 

3/27/08  11:13  AM 

743223 

22.21.9.62 

3/27/08  2:09  PM 

743323 

22.5.61.218 

3/27/08  4:54  PM 

743429 

22.28.224.4 

3/28/08  5:01  AM 

743499 

204.36.190.56 

3/28/08  7:05  AM 

743548 

21.245.1.4 

3/28/08  7:52  AM 

743559 

22.21.9.81 

3/28/08  7:58  AM 

743612 

22.21.9.81 

3/28/08  8:22  AM 

743637 

148.124.55.199 

3/28/08  8:43  AM 

3320684|205. 0.132.1 15 

9/5/09  2:26  Pm| 

7736201205.0.145.113 

4/29/08  7:39  AM  | 

735351  205.0.164.10 

3/19/08  2:28  AM| 

759457|  205. 0.164. 10 

4/10/08  5:43  AM| 

743033)  205.0.2 15.113 

3/27/08  11:13  AM| 

763872|205. 1.204.42 

4/15/08  4:54  PM  j 

737483|205. 1.225.6 

3/21/08  10:06  AM  j 

735379|205.117 .226.157 

3/19/08  4:01  AM| 

286543 3 1 205. 13. 2 13. 115 

4/16/09  11:33  AM 

734759|205. 14.113.91 

3/18/08  10:22  AM| 

736295|205. 14.236.154 

3/19/08  6:42  PM| 

736296  205.14.236.154 

3/19/08  6:42  PM| 

3821060|205. 14.92.220 

1/14/10  1:36  PM| 

738840|205. 19.17.133 

3/24/08  1:48  PM  j 

10399081205. 33.67.21 

6/3/08  2:14  AM  | 

1003510|205. 39.4.21 

5/31/08  1:29  PM) 

735325|205.53.135.82 

3/18/08  9:12  PM| 

736367  j  205.53.225.34 

3/20/08  5:07  AM| 

735944|205.53. 228.34 

3/19/08  11:09  AM| 

1571987|205. 54.31. 185 

6/18/08  6:03  PM 

3218858|205.55.0.2 

7/2/09  11:25  AM) 

746965|  205. 55. 32. 3 

4/1/08  11:35  AM| 

2650518|205. 55.32.3 

1/28/09  3:57  PM| 

734912|206.36. 111.195 

3/18/08  12:22  PM| 

745920|206.36.111.195 

3/31/08  10:23  AM| 

755186|  206. 36.  111.  195 

""  4/6/08  2:48  PM| 

756622|206.36.111.195 

4/7/08  4:31  PM| 

2352314|206.36.111.195 

9/15/08  10:58  AM| 

734860|  206. 36.90. 135 

3/18/08  11:31  AM| 

735066|207.84.120.70 

3/18/081:37  PM| 

748600|207. 84.120.73 

4/2/08  12:39  PM| 

734793|207. 84. 120.78 

3/18/08  10:35  AM | 

1026027|207. 84. 137.101 

6/2/08  9:55  AM  | 

2840394|207.84.157.178 

4/5/09  9:58  AM| 
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736287 

207.84.207.136 

3/19/08  5:52  PM 

1240972 

207.84.216.66 

6/9/08  4:55  PM 

3217536 

207.84.25.85 

7/1/09  3:37  AM 

740895 

207.84.49.157 

3/25/08  10:50  AM 

736175 

207.84.89.43 

3/19/08  2:35  PM 

769227 

207.84.89.46 

4/22/08  12:37  PM 

1609663 

207.84.95.18 

6/19/08  10:37  AM 

1609719 

207.84.95.18 

6/19/08  10:39  AM 

738635 

207.84.99.137 

3/24/08  11:02  AM 

745649 

207.85.119.47 

3/31/08  8:04  AM 

761293 

207.85.124.43 

4/13/08  10:40  PM 

736126 

207.85.131.37 

3/19/08  1:42  PM 

734897 

207.85.134.181 

3/18/08  12:13  PM 

738814 

207.85.134.181 

3/24/08  1:23  PM 

742346 

207.85.134.187 

3/26/08  2:30  PM 

741683 

207.85.134.201 

3/26/08  7:31  AM 

738569 

207.85.134.203 

3/24/08  9:49  AM 

788801 

207.85.160.76 

5/14/08  3:33  PM 

2563122 

207.85.160.76 

12/22/08  3:17  PM 

737570 

207.85.211.41 

3/21/08  12:34PM 

746001 

207.85.211.41 

3/31/08  11:38  AM 

746380 

207.85.211.41 

3/31/08  5:04  PM 

761142 

207.85.211.41 

4/11/08  6:07  PM 

964110 

207.85.211.41 

5/29/08  12:39  PM 

2371712 

207.85.211.41 

9/24/08  3:32  PM 

2371806 

207.85.211.41 

9/24/08  4:02  PM 

2458670 

207.85.211.41 

11/6/08  9:15  PM 

2679617 

207.85.211.41 

2/9/09  1:26  PM 

735416 

207.85.220.43 

3/19/08  6:17  AM 

735426 

207.85.5.238 

3/19/08  6:27  AM 

735808 

207.85.5.238 

3/19/08  9:25  AM 

735865 

207.85.5.238 

3/19/08  9:56  AM 

736762 

207.85.5.238 

3/20/08  11:35  AM 

737739 

207.85.5.238 

3/21/08  3:16  PM 

743675 

199.124.32.228 

3/28/08  9:19  AM 

743917 

22.21.14.171 

3/28/08  12:53  PM 

744009 

148.124.168.23 

3/28/08  2:24  PM 

744023 

144.19.37.37 

3/28/08  2:37  PM 

744130 

148.124.44.17 

3/28/08  6:45  PM 

745169 

22.30.197.142 

3/29/08  9:57  AM 

745466 

143.75.50.241 

3/30/08  11:34  PM 

745467 

143.75.50.241 

3/30/08  11:34  PM 

745468 

143.75.50.241 

3/30/08  11:34  PM 

745506 

22.2.1.6 

3/31/08  3:21  AM 

745649 

207.85.119.47 

3/31/08  8:04  AM 

745833 

22.20.33.131 

3/31/08  9:36  AM 

745875 

22.21.9.62 

3/31/08  10:03  AM 

745920 

206.36.111.195 

3/31/08  10:23  AM 

745929 

22.8.84.39 

3/31/08  10:32  AM 

745974 

22.2.53.211 

3/31/08  11:11AM 

745981 

22.2.53.211 

3/31/08  11:13  AM 

745993 

22.2.53.75 

3/31/08  11:32  AM 

745994 

148.124.241.85 

3/31/08  11:33  AM 

746001 

207.85.211.41 

3/31/08  11:38  AM 

746043 

147.254.140.58 

3/31/08  12:09  PM 

746070 

22.2.53.224 

3/31/08  12:22  PM 

746079 

22.2.53.201 

3/31/08  12:28  PM 

746299 

22.2.53.96 

3/31/08  3:05  PM 

746380 

207.85.211.41 

3/31/08  5:04  PM 

746561 

21.245.1.4 

4/1/08  6:56  AM 

746601 

22.2.53.96 

4/1/08  7:32  AM 

746605 

22.21.9.62 

4/1/08  7:34  AM 

746615 

22.2.53.35 

4/1/08  7:43  AM 

746617 

22.28.2.56 

4/1/08  7:47  AM 

746659 

22.2.53.50 

4/1/08  8:16  AM 

746675 

22.21.9.175 

4/1/08  8:26  AM 

746815 

22.30.225.185 

4/1/08  10:00  AM 

746825 

157.202.129.191 

4/1/08  10:05  AM 
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746832 

22.21.15.14 

4/1/08  10:07  AM 

746965 

205.55.32.3 

4/1/08  11:35  AM 

747116 

22.21.28.110 

4/1/08  1:41  PM 

747306 

148.124.208.91 

4/1/08  4:05  PM 

747512 

148.124.44.17 

4/2/08  2:17  AM 

747586 

21.245.1.4 

4/2/08  6:24  AM 

747607 

22.21.9.62 

4/2/08  6:37  AM 

747689 

22.30.163.210 

4/2/08  7:47  AM 

748486 

199.123.68.193 

4/2/08  11:08  AM 

748600 

207.84.120.73 

4/2/08  12:39  PM 

748884 

22.20.98.182 

4/2/08  3:35  PM 

750320 

22.2.53.63 

4/3/08  8:18  AM 

750381 

192.234.101.214 

4/3/08  8:57  AM 

750391 

204.36.191.138 

4/3/08  9:06  AM 

750439 

147.254.140.58 

4/3/08  9:29  AM 

750457 

148.124.186.48 

4/3/08  9:35  AM 

750614 

22.5.54.12 

4/3/08  11:46  AM 

750946 

22.5.54.200 

4/3/08  3:42  PM 

751084 

204.20.134.135 

4/3/08  9:34  PM 

751658 

22.2.53.158 

4/4/08  7:58AM 

751859 

22.217.66.208 

4/4/08  9:47  AM 

753788 

21.245.1.4 

4/4/08  2:25  PM 

753993 

22.21.171.32 

4/4/08  4:14  PM 

754924 

22.4.73.177 

4/5/08  3:08  PM 

755186 

206.36.111.195 

4/6/08  2:48  PM 

755219 

143.75.50.241 

4/6/08  7:07  PM 

755304 

22.13.56.186 

4/7/08  3:19  AM 

755311 

204.21.50.68 

4/7/08  3:41  AM 

755811 

22.21.14.141 

4/7/08  8:29  AM 

755869 

21.245.1.4 

4/7/08  9:01  AM 

756021 

22.21.31.108 

4/7/08  10:50  AM 

756036 

21.245.1.4 

4/7/08  11:00  AM 

756236 

22.2.145.2 

4/7/08  12:55  PM 

756406 

22.21.9.92 

4/7/08  1:57  PM 

Record  Key  IP  Address  Visit  Date 


738854 

207.85.5.238 

3/24/08  1:55  PM 

2261516 

207.85.5.238 

8/12/08  11:49  AM 

734708 

207.85.61.114 

3/18/08  10:05  AM 

734851 

207.85.68.123 

3/18/08  11:28  AM 

741867 

207.85.78.73 

3/26/08  9:27  AM 

759816 

207.85.78.73 

4/10/08  10:38  AM 

735907 

207.85.78.75 

3/19/08  10:29  AM 

735909 

207.85.78.75 

3/19/08  10:33  AM 

735112 

207.85.78.81 

3/18/08  2:21PM 

736159 

207.85.78.81 

3/19/08  2:15  PM 

734770 

21.245.1.4 

3/18/08  10:27  AM 

734771 

21.245.1.4 

3/18/08  10:27  AM 

734986 

21.245.1.4 

3/18/08  1:02  PM 

735410 

21.245.1.4 

3/19/08  6:14  AM 

736191 

21.245.1.4 

3/19/08  2:56  PM 

741872 

21.245.1.4 

3/26/08  9:31  AM 

743548 

21.245.1.4 

3/28/08  7:52  AM 

746561 

21.245.1.4 

4/1/08  6:56  AM 

747586 

21.245.1.4 

4/2/08  6:24  AM 

753788 

21.245.1.4 

4/4/08  2:25  PM 

755869 

21.245.1.4 

4/7/08  9:01  AM 

756036 

21.245.1.4 

4/7/08  11:00  AM 

758450 

21.245.1.4 

4/9/08  9:26  AM 

758783 

21.245.1.4 

4/9/08  12:16  PM 

758872 

21.245.1.4 

4/9/08  12:47  PM 

758885 

21.245.1.4 

4/9/08  12:51  PM 

758888 

21.245.1.4 

4/9/08  12:52  PM 

758903 

21.245.1.4 

4/9/08  12:57  PM 

761450 

21.245.1.4 

4/14/08  8:05  AM 

764372 

21.245.1.4 

4/16/08  9:51  AM 

764785 

21.245.1.4 

4/16/08  2:55  PM 

3854439 

21.245.9.15 

3/9/101:13  PM 

734711 

22.13.44.234 

3/18/08  10:05  AM 

1000186 

22.13.46.171 

5/31/08  9:34  AM 
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755304 

22.13.56.186 

4/7/08  3:19  AM 

734710 

22.15.141.48 

3/18/08  10:05  AM 

742780 

22.15.141.79 

3/27/08  8:28  AM 

742807 

22.15.141.79 

3/27/08  8:47  AM 

3858006 

22.15.142.161 

3/15/10  4:02  PM 

1975298 

22.15.142.165 

7/3/08  12:59  PM 

1064897 

22.15.142.220 

6/4/08  9:56  AM 

735232 

22.15.142.231 

3/18/08  3:44  PM 

736568 

22.15.8.151 

3/20/08  8:42  AM 

745506 

22.2.1.6 

3/31/08  3:21  AM 

736763 

22.2.13.31 

3/20/08  11:35  AM 

756236 

22.2.145.2 

4/7/08  12:55  PM 

737021 

22.2.168.15 

3/20/08  2:32  PM 

734966 

22.2.183.1 

3/18/08  12:47  PM 

736531 

22.2.183.1 

3/20/08  8:13  AM 

735851 

22.2.218.24 

3/19/08  9:48  AM 

2536066 

22.2.52.11 

12/11/08  9:35  AM 

736078 

22.2.53.101 

3/19/08  1:22  PM 

738971 

22.2.53.131 

3/24/08  3:16  PM 

751658 

22.2.53.158 

4/4/08  7:58  AM 

746079 

22.2.53.201 

3/31/08  12:28  PM 

736064 

22.2.53.211 

3/19/08  1:03  PM 

745974 

22.2.53.211 

3/31/08  11:11  AM 

745981 

22.2.53.211 

3/31/08  11:13  AM 

746070 

22.2.53.224 

3/31/08  12:22  PM 

736160 

22.2.53.242 

3/19/08  2:16  PM 

746615 

22.2.53.35 

4/1/08  7:43  AM 

746659 

22.2.53.50 

4/1/08  8:16  AM 

775310 

22.2.53.50 

4/30/08  3:26  PM 

776576 

22.2.53.50 

5/2/08  6:47  AM 

750320 

22.2.53.63 

4/3/08  8:18  AM 

757832 

22.2.53.65 

4/8/08  2:21  PM 

734911 

22.2.53.66 

3/18/08  12:22  PM 

735783 

22.2.53.71 

3/19/08  9:05  AM 

756622 

206.36.111.195 

4/7/08  4:31  PM 

757303 

22.46.45.28 

4/8/08  9:02  AM 

757832 

22.2.53.65 

4/8/08  2:21  PM 

757943 

157.214.40.248 

4/8/08  3:40  PM 

758450 

21.245.1.4 

4/9/08  9:26  AM 

758585 

22.4.73.118 

4/9/08  10:43  AM 

758621 

22.20.33.131 

4/9/08  10:54  AM 

758703 

22.21.14.160 

4/9/08  11:40  AM 

758783 

21.245.1.4 

4/9/08  12:16  PM 

758872 

21.245.1.4 

4/9/08  12:47  PM 

758885 

21.245.1.4 

4/9/08  12:51  PM 

758888 

21.245.1.4 

4/9/0812:52  PM 

758903 

21.245.1.4 

4/9/08  12:57  PM 

758939 

204.20.21.146 

4/9/08  1:24  PM 

759457 

205.0.164.10 

4/10/08  5:43  AM 

759500 

22.8.102.112 

4/10/08  7:30  AM 

759816 

207.85.78.73 

4/10/08  10:38  AM 

759943 

148.124.192.105 

4/10/08  11:26  AM 

759963 

148.124.19.133 

4/10/0811:43  AM 

760027 

143.175.111.53. 

4/10/08  12:27  PM 

760031 

22.21.171.31 

4/10/08  12:34  PM 

760925 

22.21.14.146 

4/11/08  1:36  PM 

761142 

207.85.211.41 

4/11/08  6:07  PM 

761293 

207.85.124.43 

4/13/08  10:40  PM 

761450 

21.245.1.4 

4/14/08  8:05  AM 

761942 

199.31.33.211 

4/14/08  1:38  PM 

762112 

148.124.208.91 

4/14/08  3:19  PM 

762338 

199.31.48.6 

4/15/08  4:52  AM 

763838 

199.122.162.52 

4/15/08  4:33  PM 

763872 

205.1.204.42 

4/15/08  4:54  PM 

763919 

22.23.92.39 

4/15/08  5:56  PM 

764372 

21.245.1.4 

4/16/08  9:51  AM 

764785 

21.245.1.4 

4/16/08  2:55  PM 

766070 

22.21.189.27 

4/17/08  5:30  PM 

ManningB_00377719 


IP  Address 


Visit  Date 


Views  of  ACIC  Product  RB08-0617.asp 
Record  Key 


IP  Address 


Visit 


Record  Key 


767793 

22.2.54.25 

4/21/08  10:04  AM 

767889 

22.21.14.170 

4/21/08  10:57  AM 

768258 

22.4.28.225 

4/21/08  2:38  PM 

769227 

207.84.89.46 

4/22/08  12:37  PM 

769300 

148.124.170.26 

4/22/08  1:32  PM 

773124 

22.21.9.162 

4/28/08  1:11  PM 

773620 

205.0.145.113 

4/29/08  7:39  AM 

775303 

147.254.247.195 

4/30/08  3:14  PM 

775310 

22.2.53.50 

4/30/08  3:26  PM 

776576 

22.2.53.50 

5/2/08  6:47  AM 

777461 

131.240.53.95 

5/3/08  6:32  PM 

779250 

22.21.9.62 

5/6/08  11:07  AM 

782158 

22.21.14.136 

5/9/08  3:23  PM 

788756 

22.21.14.136 

5/14/08  2:57  PM 

788801 

207.85.160.76 

5/14/08  3:33  PM 

803999 

22.21.9.62 

5/16/08  10:07  AM 

804059 

22.21.14.136 

5/16/08  10:47  AM 

804287 

22.21.77.214 

5/16/08  1:35  PM 

830972 

22.21.14.136 

5/22/08  3:46  PM 

854281 

199.122.157.10 

5/23/08  8:58  PM 

927721 

22.21.14.171 

5/27/08  4:20  PM 

927808 

22.21.14.171 

5/27/08  4:23  PM 

941167 

22.21.13.50 

5/28/08  9:06  AM 

964110 

207.85.211.41 

5/29/08  12:39  PM 

988665 

128.80.137.173 

5/30/08  7:41  PM 

996227 

198.22.27.239 

5/31/08  4:51AM 

996977 

198.22.27.239 

5/31/08  5:43  AM 

1000186 

22.13.46.171 

5/31/089:34  AM 

1003510 

205.39.4.21 

5/31/08  1:29  PM 

1006782 

157.218.37.179 

5/31/08  5:35  PM 

1020659 

22.5.67.114 

6/2/08  3:08  AM 

1022609 

157.214.240.22 

6/2/08  5:36  AM 

1025004 

22.219.125.15 

6/2/08  8:36  AM 

1025136 

22.219.125.15 

6/2/08  8:43  AM 

736181 

22.2.53.74 

3/19/08  2:42  PM 

745993 

22.2.53.75 

3/31/08  11:32  AM 

736196 

22.2.53.96 

3/19/08  3:03  PM 

746299 

22.2.53.96 

3/31/08  3:05  PM 

746601 

22.2.53.96 

4/1/08  7:32  AM 

767793 

22.2.54.25 

4/21/08  10:04  AM 

742181 

22.2.54.49 

3/26/08  12:42  PM 

3858251 

22.2.85.46 

3/16/10  10:04  AM 

745833 

22.20.33.131 

3/31/08  9:36  AM 

758621 

22.20.33.131 

4/9/08  10:54  AM 

734964 

22.20.98.15 

3/18/08  12:46  PM 

734884 

22.20.98.171 

3/18/08  11:57  AM 

3858090 

22.20.98.180 

3/16/10  8:33  AM 

748884 

22.20.98.182 

4/2/08  3:35  PM 

736018 

22.20.98.184 

3/19/08  12:28  PM 

738350 

22.20.98.200 

3/24/08  6:49  AM 

1951848 

22.21.1.27 

7/2/08  9:24  AM 

1951422 

22.21.1.29 

7/2/08  8:56  AM 

736747 

22.21.102.140 

3/20/08  11:24  AM 

736761 

22.21.102.140 

3/20/08  11:35  AM 

737282 

22.21.13.31 

3/21/08  7:37  AM 

941167 

22.21.13.50 

5/28/08  9:06  AM 

1789206 

22.21.13.50 

6/24/08  11:06  AM 

1789558 

22.21.13.50 

6/24/08  11:25  AM 

2179073 

22.21.13.71 

8/1/08  12:50  PM 

2092555 

22.21.14.133 

7/17/08  12:02  PM 

735259 

22.21.14.136 

3/18/08  4:23  PM 

782158 

22.21.14.136 

5/9/08  3:23  PM 

788756 

22.21.14.136 

5/14/08  2:57  PM 

804059 

22.21.14.136 

5/16/08  10:47  AM 

830972 

22.21.14.136 

5/22/08  3:46  PM 

741272 

22.21.14.139 

3/25/08  3:05  PM 

2682703 

22.21.14.139 

2/10/09  4:45  PM 

2810377 

22.21.14.139 

3/23/09  11:54  AM 

ManningB_00377720 


IP  Address 


Visit  Date 


Views  of  ACtC  Product  RB08-0617.asp 
Record  Key 


IP  Address 


Visit 


Record  Key 


1025286 

22.219.125.15 

6/2/08  8:56  AM 

1026027 

207.84.137.101 

6/2/08  9:55  AM 

1026477 

22.219.98.121 

6/2/08  10:33  AM 

1027108 

22.21.14.160 

6/2/08  11:17  AM 

1029749 

128.80.15.76 

6/2/08  2:39  PM 

1032337 

199.56.249.73 

6/2/08  5:20  PM 

1034511 

128.80.15.100 

6/2/08  7:54  PM 

1039908 

205.33.67.21 

6/3/08  2:14  AM 

1046964 

157.216.32.158 

6/3/08  11:51  AM 

1064897 

22.15.142.220 

6/4/08  9:56  AM 

1065794 

204.21.149.232 

6/4/08  11:02  AM 

1066157 

204.21.149.232 

6/4/08  11:18  AM 

1089953 

204.21.149.229 

6/5/08  11:19  AM 

1102987 

204.21.162.231 

6/5/08  11:25  PM 

1189095 

22.4.28.22 

6/8/08  12:21  PM 

1199848 

199.56.18.124 

6/8/08  6:50  PM 

1199915 

199.56.18.124 

6/8/08  6:53  PM 

1230091 

204.21.149.229 

6/9/08  10:33  AM 

1234799 

22.21.14.141 

6/9/08  1:24  PM 

1240972 

207.84.216.66 

6/9/08  4:55  PM 

1301503 

22.21.14.141 

6/11/08  10:04  AM 

1305973 

204.20.176.90 

6/11/08  12:55  PM 

1315494 

204.20.176.90 

6/11/08  6:29  PM 

1344756 

157.222.42.114 

6/12/08  11:12  AM 

1357987 

204.20.176.90 

6/12/08  6:21  PM 

1385780 

22.30.125.52 

6/13/08  9:46  AM 

1510161 

204.20.176.88 

6/16/08  12:55  PM 

1510443 

22.21.14.160 

6/16/081:10  PM 

1513094 

22.21.14.171 

6/16/08  4:17  PM 

1531495 

204.21.184.51 

6/17/08  8:12  AM 

1536683 

204.20.176.90 

6/17/08  10:39  AM 

1559241 

204.20.132.59 

6/18/08  10:49  AM 

1571987 

205.54.31.185 

6/18/08  6:03  PM 

1585966 

22.30.73.130 

6/19/08  12:06  AM 

3018055 

22.21.14.139 

5/19/09  2:54  PM 

755811 

22.21.14.141 

4/7/08  8:29  AM 

1234799 

22.21.14.141 

6/9/08  1:24  PM 

1301503 

22.21.14.141 

6/11/08  10:04  AM 

737468 

22.21.14.144 

3/21/08  10:02  AM 

760925 

22.21.14.146 

4/11/08  1:36  PM 

738657 

22.21.14.148 

3/24/08  11:23  AM 

741041 

22.21.14.152 

3/25/08  12:21  PM 

738403 

22.21.14.156 

3/24/08  7:46  AM 

734691 

22.21.14.160 

3/18/08  9:56  AM 

758703 

22.21.14.160 

4/9/08  11:40  AM 

1027108 

22.21.14.160 

6/2/08  11:17  AM 

1510443 

22.21.14.160 

6/16/08  1:10  PM 

2435955 

22.21.14.167 

10/24/08  10:43  AM 

734934 

22.21.14.168 

3/18/08  12:34  PM 

3331687 

22.21.14.17 

9/24/09  1:10  PM 

734886 

22.21.14.170 

3/18/08  11:58  AM 

767889 

22.21.14.170 

4/21/08  10:57  AM 

3858229 

22.21.14.170 

3/16/10  9:54  AM 

734788 

22.21.14.171 

3/18/08  10:33  AM 

734850 

22.21.14.171 

3/18/08  11:28  AM 

734869 

22.21.14.171 

3/18/08  11:40  AM 

743917 

22.21.14.171 

3/28/08  12:53  PM 

927721 

22.21.14.171 

5/27/08  4:20  PM 

927808 

22.21.14.171 

5/27/08  4:23  PM 

1513094 

22.21.14.171 

6/16/08  4:17  PM 

1648699 

22.21.14.171 

6/20/08  1:15  PM 

1648945 

22.21.14.171 

6/20/08  1:22  PM 

1650471 

22.21.14.171 

6/20/08  2:18  PM 

2603633 

22.21.14.172 

1/8/09  10:06  AM 

3827031 

22.21.14.177 

1/25/10  12:28  PM 

3858230 

22.21.14.177 

3/16/10  9:55  AM 

734669 

22.21.14.179 

3/18/08  9:40  AM 

3857979 

22.21.14.180 

3/15/10  3:47  PM 

ManningB_00377721 


IP  Address 


Visit  Date 


Views  of  ACIC  Product  RB08-0617.asp. 

Record  Key 


IP  Address 


Visit 


Record  Key 


1586349 

22.30.73.130 

6/19/08  12:21  AM 

1609663 

207.84.95.18 

6/19/08 10:37  AM 

1609719 

207.84.95.18 

6/19/08  10:39  AM 

1635369 

139.32.17.34 

6/20/08  4:59  AM 

1635448 

139.32.17.34 

6/20/08  5:04  AM 

1648699 

22.21.14.171 

6/20/08  1:15  PM 

1648945 

22.21.14.171 

6/20/08  1:22  PM 

1650471 

22.21.14.171 

6/20/08  2:18  PM 

1789206 

22.21.13.50 

6/24/08  11:06  AM 

1789558 

22.21.13.50 

6/24/08  11:25  AM 

1789577 

199.31.34.58 

6/24/08  11:27  AM 

1851954 

141.220.71.27 

6/27/08  10:35  AM 

1858846 

22.4.28.24 

6/27/08  10:45  PM 

1906032 

141.220.71.27 

6/30/08  6:03  AM 

1925023 

141.220.71.27 

7/1/08  3:27  AM 

1925157 

141.220.71.27 

7/1/08  3:35  AM 

1950476 

22.21.9.11 

7/2/08  7:57  AM 

1950477 

22.21.9.10 

7/2/08  7:59  AM 

1950647 

22.21.9.10 

7/2/08  8:09  AM 

1950909 

22.21.9.10 

7/2/08  8:24  AM 

1950918 

22.21.9.11 

7/2/08  8:24  AM 

1951104 

22.21.53.98 

7/2/08  8:36  AM 

1951422 

22.21.1.29 

7/2/08  8:56  AM 

1951848 

22.21.1.27 

7/2/08  9:24  AM 

1952310 

138.45.41.10 

7/2/08  9:58  AM 

1953224 

22.21.29.25 

7/2/08  11:04  AM 

1953310 

22.21.29.4 

7/2/08  11:07  AM 

1953343 

22.21.89.80 

7/2/08  11:12  AM 

1953480 

22.21.28.151 

7/2/08  11:20  AM 

1953547 

22.21.28.229 

7/2/08  11:25  AM 

1953601 

22.21.89.80 

7/2/08  11:26  AM 

1953625 

22.21.28.250 

7/2/08  11:30  AM 

1953626 

138.45.43.6 

7/2/08  11:31AM 

1953878 

22.21.28.147 

7/2/08  11:45  AM 

736456 

22.21.14.181 

3/20/08  7:32  AM 

735044 

22.21.14.184 

3/18/08  1:30  PM 

734919 

22.21.14.185 

3/18/08  12:29  PM 

736641 

22.21.14.189 

3/20/08  9:39  AM 

3018023 

22.21.14.89 

5/19/09  2:41  PM 

738619 

22.21.15.109 

3/24/08  10:42  AM 

738695 

22.21.15.14 

3/24/08  12:04  PM 

746832 

22.21.15.14 

4/1/08  10:07  AM 

3858370 

22.21.15.141 

3/16/10  11:01  AM 

2719551 

22.21.15.175 

2/26/09  2:58  PM 

2719560 

22.21.15.175 

2/26/09  3:01  PM 

2488837 

22.21.15.26 

11/21/08  1:32  PM 

2291751 

22.21.15.74 

8/20/08  3:31  PM 

736283 

22.21.160.19 

3/19/08  5:36  PM 

738517 

22.21.160.19 

3/24/08  9:08  AM 

735308 

22.21.160.66 

3/18/08  6:27  PM 

736277 

22.21.160.66 

3/19/08  5:16  PM 

736768 

22.21.160.66 

3/20/08  11:39  AM 

2614328 

22.21.165.176 

1/12/09  5:15  PM 

760031 

22.21.171.31 

4/10/08  12:34  PM 

753993 

22.21.171.32 

4/4/08  4:14  PM 

2374278 

22.21.176.193 

9/25/08  3:30  PM 

3857856 

22.21.183.68 

3/15/10  1:57  PM 

3857884 

22.21.183.68 

3/15/10  2:07  PM 

736209 

22.21.189.27 

3/19/08  3:21  PM 

766070 

22.21.189.27 

4/17/08  5:30  PM 

734773 

22.21.192.156 

3/18/08  10:28  AM 

742034 

22.21.192.157 

3/26/08  10:59  AM 

734648 

22.21.192.158 

3/18/08  9:28  AM 

734667 

22.21.192.159 

3/18/08  9:39  AM 

736667 

22.21.192.159 

3/20/08  10:08  AM 

738555 

22.21.192.159 

3/24/08  9:43  AM 

735870 

22.21.204.243 

3/19/08  9:59  AM 

742337 

22.21.206.174 

3/26/08  2:20  PM 

ManningB_00377722 


Views  of  ACIC  Product  RB08-0617.; 


Record  Key  IP  Address  Visit  Date 


1954030 

22.21.29.6 

7/2/08  11:56  AM 

1954092 

22.21.28.157 

7/2/08  12:03  PM 

1954346 

7.24.2.1 

7/2/08  12:18  PM 

1954362 

22.21.28.152 

7/2/08  12:18  PM 

1954498 

22.21.28.171 

7/2/08  12:33  PM 

1954563 

7.24.2.1 

7/2/08  12:36  PM 

1954800 

22.21.28.169 

7/2/08  12:52  PM 

1955211 

132.143.11.57 

7/2/08  1:18PM 

1955229 

7.24.2.1 

7/2/08  1:23  PM 

1955825 

22.21.28.214 

7/2/08  2:04  PM 

1956621 

22.21.28.157 

7/2/08  3:01  PM 

1972167 

22.21.28.109 

7/3/08  9:03  AM 

1972715 

22.21.28.104 

7/3/08  9:48  AM 

1972753 

22.229.38.69 

7/3/08  9:50  AM 

1973151 

22.21.28.107 

7/3/08  10:18  AM 

1973294 

7.24.2.1 

7/3/08  10:34  AM 

1973297 

148.124.41.66 

7/3/08  10:34  AM 

1973399 

148.124.41.66 

7/3/08  10:40  AM 

1973745 

22.21.28.103 

7/3/08  11:05  AM 

1974869 

22.21.28.150 

7/3/08  12:32  PM 

1974912 

22.21.29.38 

7/3/08  12:34  PM 

1975001 

7.24.2.1 

7/3/08  12:37  PM 

1975298 

22.15.142.165 

7/3/08  12:59  PM 

2041593 

204.21.84.166 

7/6/08  6:34  PM 

2055459 

22.21.29.57 

7/7/08  10:30  AM 

2056328 

22.21.28.74 

7/7/08  11:37  AM 

2056772 

22.229.38.61 

7/7/08  12:03  PM 

2056813 

22.21.28.71 

7/7/08  12:09  PM 

2057076 

22.21.28.74 

7/7/08  12:29  PM 

2057177 

22.21.28.251 

7/7/08  12:32  PM 

2057205 

22.21.28.167 

7/7/08  12:37  PM 

2058041 

22.229.38.25 

7/7/08  1:34  PM 

2058058 

138.45.45.25 

7/7/08  1:35  PM 

2059548 

148.124.208.91 

7/7/08  3:34  PM 

Record  Key  IP  Address  Visit 


1973745 

22.21.28.103 

7/3/08  11:05  AM 

2075028 

22.21.28.103 

7/8/08  10:17  AM 

1972715 

22.21.28.104 

7/3/08  9:48  AM 

1973151 

22.21.28.107 

7/3/08  10:18  AM 

1972167 

22.21.28.109 

7/3/08  9:03  AM 

747116 

22.21.28.110 

4/1/08  1:41  PM 

2253841 

22.21.28.111 

8/11/08  11:20  AM 

1953878 

22.21.28.147 

7/2/0811:45  AM 

2079290 

22.21.28.148 

7/8/08  6:38  PM 

2264237 

22.21.28.148 

8/12/08  6:56  PM 

1974869 

22.21.28.150 

7/3/08  12:32  PM 

1953480 

22.21.28.151 

7/2/08  11:20  AM 

1954362 

22.21.28.152 

7/2/08  12:18  PM 

1954092 

22.21.28.157 

7/2/08  12:03  PM 

1956621 

22.21.28.157 

7/2/08  3:01  PM 

2091885 

22.21.28.157 

7/16/08  6:45  PM 

2091888 

22.21.28.157 

7/16/08  6:48  PM 

2093020 

22.21.28.157 

7/17/08  4:12  PM 

2346018 

22.21.28.157 

9/12/08  1:07  PM 

2289217 

22.21.28.165 

8/19/08  4:38  PM 

2057205 

22.21.28.167 

7/7/08  12:37  PM 

2366356 

22.21.28.168 

9/22/08  6:38  PM 

1954800 

22.21.28.169 

7/2/08  12:52  PM 

2112596 

22.21.28.169 

7/21/08  12:21  PM 

1954498 

22.21.28.171 

7/2/08  12:33  PM 

2088820 

22.21.28.207 

7/14/08  5:09  PM 

1955825 

22.21.28.214 

7/2/08  2:04  PM 

1953547 

22.21.28.229 

7/2/08  11:25  AM 

1953625 

22.21.28.250 

7/2/08  11:30  AM 

2057177 

22.21.28.251 

7/7/08  12:32  PM 

2062005 

22.21.28.251 

7/7/08  6:52  PM 

2056813 

22.21.28.71 

7/7/08  12:09  PM 

2056328 

22.21.28.74 

7/7/08  11:37  AM 

2057076 

22.21.28.74 

7/7/08  12:29  PM 

ManningB_00377723 


Views  of  ACIC  Product  RB08-0617.; 


Record  Key 

IP  Address 

Visit  Date 

2060209 

22.229.38.25 

7/7/08  4:28  PM 

2060343 

7.24.2.1 

7/7/08  4:38  PM 

2062005 

22.21.28.251 

7/7/08  6:52  PM 

2075028 

22.21.28.103 

7/8/08  10:17  AM 

2076464 

7.24.2.1 

7/8/08  12:12  PM 

2076590 

7.24.2.1 

7/8/08  12:17  PM 

2077011 

7.24.2.1 

7/8/08  12:50  PM 

2077092 

7.24.2.1 

7/8/08  12:59  PM 

2077169 

7.24.2.1 

7/8/08  1:03  PM 

2077452 

7.24.2.1 

7/8/08  1:22  PM 

2077730 

7.24.2.1 

7/8/08  1:43  PM 

2077893 

7.24.2.1 

7/8/08  1:56  PM 

2078479 

7.24.2.1 

7/8/08  2:43  PM 

2078857 

7.24.2.1 

7/8/08  3:15  PM 

2078942 

7.24.2.1 

7/8/08  3:24  PM 

2078944 

7.24.2.1 

7/8/08  3:24  PM 

2079083 

7.24.2.1 

7/8/08  3:38  PM 

2079098 

7.24.2.1 

7/8/08  3:41  PM 

2079101 

7.24.2.1 

7/8/08  3:43  PM 

2079121 

22.229.38.25 

7/8/08  4:03  PM 

2079187 

7.24.2.1 

7/8/08  4:50  PM 

2079225 

7.24.2.1 

7/8/08  5:24  PM 

2079233 

7.24.2.1 

7/8/08  5:43  PM 

2079290 

22.21.28.148 

7/8/08  6:38  PM 

2079322 

7.24.2.1 

7/8/08  7:11  PM 

2079355 

7.24.2.1 

7/8/08  8:11  PM 

2080021 

7.24.2.1 

7/9/08  8:59  AM 

2080828 

7.24.2.1 

7/9/08  2:41  PM 

2082162 

7.24.2.1 

7/10/08  9:53  AM 

2082281 

138.45.41.7 

7/10/0811:02  AM 

2082435 

22.21.29.45 

7/10/08  12:15  PM 

2088720 

7.24.2.1 

7/14/08  3:49  PM 

2088820 

22.21.28.207 

7/14/08  5:09  PM 

2088924 

7.24.2.1 

7/14/08  6:37  PM 

Record  Key  IP  Address  Visit  Date 


1953224 

22.21.29.25 

7/2/08  11:04  AM 

1974912 

22.21.29.38 

7/3/08  12:34  PM 

1953310 

22.21.29.4 

7/2/08  11:07  AM 

2082435 

22.21.29.45 

7/10/08  12:15  PM 

2055459 

22.21.29.57 

7/7/08  10:30  AM 

1954030 

22.21.29.6 

7/2/08  11:56  AM 

2656120 

22.21.30.109 

1/30/09  5:43  PM 

2656122 

22.21.30.109 

1/30/09  5:44  PM 

2656123 

22.21.30.109 

1/30/09  5:44  PM 

2656128 

22.21.30.109 

1/30/09  5:48  PM 

2656131 

22.21.30.109 

1/30/09  5:50  PM 

2656171 

22.21.30.109 

1/30/09  6:18  PM 

2667022 

22.21.30.109 

2/4/09  9:43  AM 

2681982 

22.21.30.110 

2/10/09  11:09  AM 

2661885 

22.21.30.123 

2/2/09  12:33  PM 

737561 

22.21.31.101 

3/21/08  12:22  PM 

756021 

22.21.31.108 

4/7/08  10:50  AM 

2263704 

22.21.31.73 

8/12/08  4:37  PM 

3857885 

22.21.31.75 

3/15/10  2:07  PM 

2093126 

22.21.53.119 

7/17/08  5:25  PM 

2656132 

22.21.53.97 

1/30/09  5:50  PM 

1951104 

22.21.53.98 

7/2/08  8:36  AM 

741146 

22.21.53.99 

3/25/08  1:28  PM 

804287 

22.21.77.214 

5/16/08  1:35  PM 

3123962 

22.21.77.214 

6/3/09  3:47  PM 

1953343 

22.21.89.80 

7/2/08  11:12  AM 

1953601 

22.21.89.80 

7/2/08  11:26  AM 

1950477 

22.21.9.10 

7/2/08  7:59  AM 

1950647 

22.21.9.10 

7/2/08  8:09  AM 

1950909 

22.21.9.10 

7/2/08  8:24  AM 

2121142 

22.21.9.10 

7/22/08  2:39  PM 

2128817 

22.21.9.10 

7/25/08  7:46  AM 

1950476 

22.21.9.11 

7/2/08  7:57  AM 

!  1950918 

22.21.9.11 

7/2/08  8:24  AM 

ManningB_00377724 


IP  Address 


Visit  Date 


Views  of  ACIC  Product  RB08-0617.asp 
Record  Key 


IP  Address 


Visit 


Record  Key 


2091885 

22.21.28.157 

7/16/08  6:45  PM 

2091888 

22.21.28.157 

7/16/08  6:48  PM 

2092404 

22.21.9.159 

7/17/08  10:36  AM 

2092555 

22.21.14.133 

7/17/08  12:02  PM 

2092597 

22.21.9.71 

7/17/08  12:10  PM 

2093020 

22.21.28.157 

7/17/08  4:12  PM 

2093126 

22.21.53.119 

7/17/08  5:25  PM 

2112596 

22.21.28.169 

7/21/08  12:21  PM 

2121142 

22.21.9.10 

7/22/08  2:39  PM 

2128817 

22.21.9.10 

7/25/08  7:46  AM 

2128888 

147.254.200.76 

7/25/08  8:27  AM 

2129042 

147.254.200.76 

7/25/08  9:41  AM 

2171089 

22.4.151.29 

7/31/08  3:34  PM 

2179073 

22.21.13.71 

8/1/08  12:50  PM 

2253841 

22.21.28.111 

8/11/08  11:20  AM 

2261516 

207.85.5.238 

8/12/08  11:49  AM 

2263704 

22.21.31.73 

8/12/08  4:37  PM 

2264237 

22.21.28.148 

8/12/08  6:56  PM 

2280870 

7.24.1.2 

8/15/08  2:25  PM 

2289217 

22.21.28.165 

8/19/08  4:38  PM 

2291751 

22.21.15.74 

8/20/08  3:31  PM 

2309365 

7.24.2.1 

8/28/08  11:36  AM 

2321822 

198.201.144.114 

9/3/08  9:18  AM 

2321824 

198.201.144.114 

9/3/08  9:20  AM 

2327505 

22.21.9.135 

9/5/08  3:17  PM 

2327739 

148.124.161.24 

9/5/08  5:57  PM 

2333393 

138.45.43.7 

9/8/08  1:37  PM 

2335266 

22.4.151.29 

9/9/08  4:40  AM 

2346018 

22.21.28.157 

9/12/08  1:07  PM 

2352314 

206.36.111.195 

9/15/08  10:58  AM 

2362192 

199.31.48.33 

9/19/08  3:39  AM 

2365794 

22.213.214.32 

9/22/08  2:00  PM 

2366356 

22.21.28.168 

9/22/08  6:38  PM 

2371712 

207.85.211.41 

9/24/08  3:32  PM 

2327505 

22.21.9.135 

9/5/08  3:17  PM 

735566 

22.21.9.148 

3/19/08  8:02  AM 

2092404 

22.21.9.159 

7/17/08  10:36  AM 

773124 

22.21.9.162 

4/28/08  1:11  PM 

746675 

22.21.9.175 

4/1/08  8:26  AM 

2712099 

22.21.9.201 

2/23/09  5:10  PM 

2661185 

22.21.9.59 

2/2/09  6:29  AM 

3350053 

22.21.9.59 

10/15/09  10:04  AM 

3584293 

22.21.9.59 

11/16/09  7:39  AM 

736430 

22.21.9.62 

3/20/08  7:20  AM 

736671 

22.21.9.62 

3/20/08  10:09  AM 

743223 

22.21.9.62 

3/27/08  2:09  PM 

745875 

22.21.9.62 

3/31/08  10:03  AM 

746605 

22.21.9.62 

4/1/08  7:34  AM 

747607 

22.21.9.62 

4/2/08  6:37  AM 

779250 

22.21.9.62 

5/6/08  11:07  AM 

803999 

22.21.9.62 

5/16/08  10:07  AM 

2092597 

22.21.9.71 

7/17/08  12:10  PM 

743559 

22.21.9.81 

3/28/08  7:58  AM 

743612 

22.21.9.81 

3/28/08  8:22  AM 

756406 

22.21.9.92 

4/7/08  1:57  PM 

734700 

22.21.9.95 

3/18/08  10:04  AM 

3285154 

22.210.112.152 

7/23/09  11:56  PM 

735795 

22.212.21.69 

3/19/08  9:16  AM 

738564 

22.212.21.69 

3/24/08  9:48  AM 

3822271 

22.213.101.127 

1/17/10  8:40  AM 

2775886 

22.213.102.11 

3/9/09  11:43  AM 

2365794 

22.213.214.32 

9/22/08  2:00  PM 

738377 

22.214.7.240 

3/24/08  7:23  AM 

751859 

22.217.66.208 

4/4/08  9:47  AM 

1025004 

22.219.125.15 

6/2/08  8:36  AM 

1025136 

22.219.125.15 

6/2/08  8:43  AM 

1025286 

22.219.125.15 

6/2/08  8:56  AM 

1026477 

22.219.98.121 

6/2/08  10:33  AM 

ManningB_00377725 


Views  of  ACIC  Product  RB08-0617.; 


Record  Key 

IP  Address 

Visit  Date 

2371806 

207.85.211.41 

9/24/08  4:02  PM 

2374278 

22.21.176.193 

9/25/08  3:30  PM 

2407341 

141.220.71.26 

10/9/08  6:05  AM 

2427515 

7.24.2.1 

10/17/08  11:38  AM 

2435955 

22.21.14.167 

10/24/08  10:43  AM 

2458670 

207.85.211.41 

11/6/08  9:15  PM 

2488837 

22.21.15.26 

11/21/08  1:32  PM 

2531693 

22.4.28.24 

12/9/08  6:56  PM 

2531695 

22.4.28.24 

12/9/08  7:00  PM 

2535894 

22.4.28.24 

12/11/08  8:16  AM 

2535973 

22.4.28.24 

12/11/08  8:42  AM 

2535977 

22.4.28.24 

12/11/08  8:45  AM 

2536066 

22.2.52.11 

12/11/08  9:35  AM 

2536442 

22.4.28.22 

12/11/08  11:43AM 

2551140 

132.143.59.182 

12/17/08  9:12  AM 

2551243 

132.143.59.182 

12/17/08  10:02  AM 

2557569 

128.80.150.120 

12/19/08  11:20  PM 

2562095 

22.4.28.24 

12/22/08  7:13  AM 

2563122 

207.85.160.76 

12/22/08  3:17  PM 

2564189 

157.213.35.245 

12/23/08  3:25  AM 

2603633 

22.21.14.172 

1/8/09  10:06  AM 

2614328 

22.21.165.176 

1/12/09  5:15  PM 

2650518 

205.55.32.3 

1/28/09  3:57  PM 

2656120 

22.21.30.109 

1/30/09  5:43  PM 

2656122 

22.21.30.109 

1/30/09  5:44  PM 

2656123 

22.21.30.109 

1/30/09  5:44  PM 

2656128 

22.21.30.109 

1/30/09  5:48  PM 

2656131 

22.21.30.109 

1/30/09  5:50  PM 

2656132 

22.21.53.97 

1/30/09  5:50  PM 

2656171 

22.21.30.109 

1/30/09  6:18  PM 

2661185 

22.21.9.59 

2/2/09  6:29  AM 

2661885 

22.21.30.123 

2/2/09  12:33  PM 

2663463 

146.98.204.43 

2/3/09  2:51  AM 

2663482 

146.98.129.172 

2/3/09  3:13  AM 

Record  Key  IP  Address  Visit  Date 


3852304 

22.22.129.89 

3/5/10  12:23  PM 

3710474 

22.225.28.52 

12/5/09  12:49  AM 

3853024 

22.225.41.22 

3/7/10  11:31  PM 

3687838 

22.225.41.40 

12/1/09  6:31PM 

3810570 

22.225.41.40 

12/29/09  2:40  PM 

3848934 

22.225.41.40 

3/1/10  6:40  PM 

2058041 

22.229.38.25 

7/7/08  1:34  PM 

2060209 

22.229.38.25 

7/7/08  4:28  PM 

2079121 

22.229.38.25 

7/8/08  4:03  PM 

2056772 

22.229.38.61 

7/7/08  12:03  PM 

1972753 

22.229.38.69 

7/3/08  9:50  AM 

3284044 

22.23.113.42 

7/22/09  12:13  PM 

740629 

22.23.113.49 

3/25/08  7:18  AM 

736235 

22.23.20.34 

3/19/08  3:50  PM 

763919 

22.23.92.39 

4/15/08  5:56  PM 

735336 

22.25.254.34 

3/19/08  1:09  AM 

737180 

22.28.12.140 

3/21/08  4:24  AM 

735921 

22.28.162.87 

3/19/08  10:46  AM 

746617 

22.28.2.56 

4/1/08  7:47  AM 

743429 

22.28.224.4 

3/28/08  5:01  AM 

1385780 

22.30.125.52 

6/13/08  9:46  AM 

740649 

22.30.13.141 

3/25/08  7:37  AM 

740666 

22.30.13.141 

3/25/08  7:48  AM 

747689 

22.30.163.210 

4/2/08  7:47  AM 

2719276 

22.30.172.205 

2/26/09  12:43  PM 

745169 

22.30.197.142 

3/29/08  9:57  AM 

746815 

22.30.225.185 

4/1/08  10:00  AM 

1585966 

22.30.73.130 

6/19/08  12:06  AM 

1586349 

22.30.73.130 

6/19/08  12:21  AM 

2958628 

22.4.140.39 

5/11/09  2:19  PM 

2958102 

22.4.140.64 

5/11/09  1:19  PM 

734933 

22.4.151.114 

3/18/08  12:33  PM 

734846 

22.4.151.134 

3/18/08  11:15  AM 

2171089 

22.4.151.29 

7/31/08  3:34  PM 

ManningB_00377726 


Views  of  ACIC  Product  RB08-0617.< 


Record  Key  IP  Address  Visit  Date 


2667022 

22.21.30.109 

2/4/09  9:43  AM 

2667897 

148.124.246.16 

2/4/09  3:05  PM 

2679617 

207.85.211.41 

2/9/09  1:26  PM 

2681982 

22.21.30.110 

2/10/09  11:09  AM 

2682607 

148.124.162.46 

2/10/09  4:05  PM 

2682703 

22.21.14.139 

2/10/09  4:45  PM 

2704194 

7.24.2.1 

2/19/09  5:10  PM 

2712099 

22.21.9.201 

2/23/09  5:10  PM 

2715530 

146.98.194.50 

2/25/09  3:38  AM 

2719276 

22.30.172.205 

2/26/09  12:43  PM 

2719551 

22.21.15.175 

2/26/09  2:58  PM 

2719560 

22.21.15.175 

2/26/09  3:01  PM 

2775886 

22.213.102.11 

3/9/09  11:43  AM 

2795854 

131.240.53.121 

3/16/09  7:01  AM 

2796287 

148.124.165.233 

3/16/09  10:12  AM 

2809412 

158.242.11.93 

3/23/09  1:56  AM 

2810377 

22.21.14.139 

3/23/09  11:54  AM 

2819909 

148.124.19.164 

3/26/09  4:12  PM 

2839703 

22.44.25.112 

4/5/09  12:09  AM 

2840394 

207.84.157.178 

4/5/09  9:58  AM 

2853601 

153.22.111.60 

4/11/09  11:55  PM 

2865433 

205.13.213.115 

4/16/09  11:33  AM 

2939008 

148.124.148.22 

5/8/09  7:21  AM 

2958102 

22.4.140.64 

5/11/09  1:19  PM 

2958628 

2  2.4.140.39 

5/11/09  2:19  PM 

3018023 

22.21.14.89 

5/19/09  2:41  PM 

3018055 

22.21.14.139 

5/19/09  2:54  PM 

3035339 

22.4.151.29 

5/22/09  6:52  PM 

3037422 

22.4.151.29 

5/23/09  3:46  AM 

3063418 

148.124.225.146 

5/26/09  12:30  PM 

3123962 

22.21.77.214 

6/3/09  3:47  PM 

3200924 

204.21.6.15 

6/24/09  1:12  PM 

3217536 

207.84.25.85 

7/1/09  3:37  AM 

3218858 

205.55.0.2 

7/2/09  11:25  AM 

Record  Key  IP  Address  Visit 


2335266 

22.4.151.29 

9/9/08  4:40  AM 

3035339 

22.4.151.29 

5/22/09  6:52  PM 

3037422 

22.4.151.29 

5/23/09  3:46  AM 

1189095 

22.4.28.22 

6/8/08  12:21  PM 

2536442 

22.4.28.22 

12/11/08  11:43  AM 

768258 

22.4.28.225  j 

4/21/08  2:38  PM 

737099 

22.4.28.226 

3/20/08  4:35  PM 

734651 

22.4.28.24 

3/18/08  9:28  AM 

1858846 

22.4.28.24 

6/27/08  10:45  PM 

2531693 

22.4.28.24 

12/9/08  6:56  PM 

2531695 

22.4.28.24 

12/9/08  7:00  PM 

2535894 

22.4.28.24 

12/11/08  8:16  AM 

2535973 

22.4.28.24 

12/11/08  8:42  AM 

2535977 

22.4.28.24 

12/11/08  8:45  AM 

2562095 

22.4.28.24 

12/22/08  7:13  AM 

3808689 

22.4.28.24 

12/24/09  1:17  PM 

3857842 

22.4.28.24 

3/15/10  1:31  PM 

3857845 

22.4.28.24 

3/15/10  1:34  PM 

3857916 

22.4.28.24 

3/15/10  2:50  PM 

758585 

22.4.73.118 

4/9/08  10:43  AM 

754924 

22.4.73.177 

4/5/08  3:08PM 

3857886 

22.41.229.23 

3/15/10  2:07  PM 

2839703 

22.44.25.112 

4/5/09  12:09  AM 

737239 

22.45.248.13 

3/21/08  6:47  AM 

741448 

22.45.248.155 

3/25/08  6:05  PM 

735077 

22.45.248.192 

3/18/08  1:44  PM 

735234 

22.45.42.131 

3/18/08  3:44  PM 

3858220 

22.46.17.79 

3/16/10  9:44  AM 

757303 

22.46.45.28 

4/8/08  9:02  AM 

3302221 

22.47.186.56 

8/2/09  12:31  PM 

3328245 

22.47.186.56 

9/19/09  5:51  PM 

736026 

22.5.18.169 

3/19/08  12:30  PM 

735046 

22.5.185.19 

3/18/08  1:30  PM 

735204 

22.5.19.217 

3/18/08  3:21  PM 
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Views  of  ACIC  Product  RB08  0617.; 


Record  Key  IP  Address  Visit  Date 


3284044 

22.23.113.42 

7/22/09  12:13  PM 

3285154 

22.210.112.152 

7/23/09  11:56  PM 

3285341 

147.254.166.61 

7/24/09  9:46  AM 

3285517 

147.254.166.61 

7/24/09  1:27  PM 

3285538 

147.254.166.61 

7/24/09  1:52  PM 

3302221 

22.47.186.56 

8/2/09  12:31  PM 

3311310 

205.0.132.115 

8/18/09  12:19  PM 

3311314 

205.0.132.115 

8/18/09  12:24  PM 

3320684 

205.0.132.115 

9/5/09  2:26  PM 

3328245 

22.47.186.56 

9/19/09  5:51PM 

3331106 

204.21.20.6 

9/23/09  5:55  PM 

3331687 

22.21.14.17 

9/24/09  1:10  PM 

3350053 

22.21.9.59 

10/15/09  10:04  AM 

3442471 

131.21.139.173 

10/23/09  6:19  AM 

3442971 

131.21.139.173 

10/23/09  6:31  AM 

3482172 

148.124.229.176 

10/30/09  3:45  PM 

3584293 

22.21.9.59 

11/16/09  7:39  AM 

3687838 

22.225.41.40 

12/1/09  6:31  PM 

3710474 

22.225.28.52 

12/5/09  12:49  AM 

3808689 

22.4.28.24 

12/24/09  1:17  PM 

3810570 

22.225.41.40 

12/29/09  2:40  PM 

3821060 

205.14.92.220 

1/14/10  1:36  PM 

3822271 

22.213.101.127 

1/17/10  8:40  AM 

3827031 

22.21.14.177 

1/25/1012:28  PM 

3847225 

7.24.2.1 

2/26/10  9:52  AM 

3848934 

22.225.41.40 

3/1/10  6:40  PM 

3852304 

22.22.129.89 

3/5/10  12:23  PM 

3853024 

22.225.41.22 

3/7/10  11:31  PM 

3854439 

21.245.9.15 

3/9/10  1:13  PM 

3857809 

147.254.238.23 

3/15/10  12:49  PM 

3857842 

22.4.28.24 

3/15/10  1:31PM 

3857845 

22.4.28.24 

3/15/10  1:34  PM 

3857856 

22.21.183.68 

3/15/10  1:57  PM 

3857884 

22.21.183.68 

3/15/10  2:07  PM 

Record  Key  IP  Address  Visit 


750614 

22.5.54.12 

4/3/08  11:46  AM 

750946 

22.5.54.200 

4/3/08  3:42  PM 

743323 

22.5.61.218 

3/27/08  4:54  PM 

1020659 

22.5.67.114 

6/2/08  3:08  AM 

738681 

22.8.101.87 

3/24/08  11:54  AM 

759500 

22.8.102.112 

4/10/08  7:30  AM 

738307 

22.8.112.219 

3/24/08  5:36  AM 

738228 

22.8.245.12 

3/23/08  4:04  PM 

738229 

22.8.245.24 

3/23/08  4:17  PM 

738526 

22.8.245.24 

3/24/08  9:14  AM 

741658 

22.8.33.114 

3/26/08  7:11  AM 

737588 

22.8.36.3 

3/21/08  1:00  PM 

745929 

22.8.84.39 

3/31/08  10:32  AM 

2280870 

7.24.1.2 

8/15/08  2:25  PM 

3857971 

7.24.1.2 

3/15/10  3:42  PM 

1954346 

7.24.2.1 

7/2/08  12:18  PM 

1954563 

7.24.2.1 

7/2/08  12:36  PM 

1955229 

7.24.2.1 

7/2/08  1:23  PM 

1973294 

7.24.2.1 

7/3/08  10:34  AM 

1975001 

7.24.2.1 

7/3/08  12:37  PM 

2060343 

7.24.2.1 

7/7/08  4:38  PM 

2076464 

7.24.2.1 

7/8/08  12:12  PM 

2076590 

7.24.2.1 

7/8/08  12:17  PM 

2077011 

7.24.2.1 

7/8/08  12:50  PM 

2077092 

7.24.2.1 

7/8/08  12:59  PM 

2077169 

7.24.2.1 

7/8/08  1:03  PM 

2077452 

7.24.2.1 

7/8/08  1:22  PM 

2077730 

7.24.2.1 

7/8/08  1:43  PM 

2077893 

7.24.2.1 

7/8/08  1:56  PM 

2078479 

7.24.2.1 

7/8/08  2:43  PM 

2078857 

7.24.2.1 

7/8/08  3:15  PM 

2078942 

7.24.2.1 

7/8/08  3:24  PM 

2078944 

7.24.2.1 

7/8/08  3:24  PM 

2079083 

7.24.2.1 

7/8/08  3:38  PM 
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3857885 

22.21.31.75 

3/15/10  2:07  PM 

3857886 

22.41.229.23 

3/15/10  2:07  PM 

3857892 

7.24.2.1 

3/15/10  2:12  PM 

3857916 

22.4.28.24 

3/15/10  2:50  PM 

3857945 

192.234.101.214 

3/15/10  3:11  PM 

3857971 

7.24.1.2 

3/15/10  3:42  PM 

3857979 

22.21.14.180 

3/15/10  3:47  PM 

3858006 

22.15.142.161 

3/15/10  4:02  PM 

3858019 

148.124.148.14 

3/16/10  7:29  AM 

3858090 

22.20.98.180 

3/16/10  8:33  AM 

3858179 

137.13.136.218 

3/16/10  9:18  AM 

3858220 

22.46.17.79 

3/16/10  9:44  AM 

3858229 

22.21.14.170 

3/16/10  9:54  AM 

3858230 

22.21.14.177 

3/16/10  9:55  AM 

3858251 

22.2.85.46 

3/16/10  10:04  AM 

3858370 

22.21.15.141 

3/16/10  11:01AM 

3858425 

199.56.106.4 

3/16/1011:42  AM 

2079098 

7.24.2.1 

7/8/08  3:41  PM 

2079101 

7.24.2.1 

7/8/08  3:43  PM 

2079187 

7.24.2.1 

7/8/08  4:50  PM 

2079225 

7.24.2.1 

7/8/08  5:24  PM 

2079233 

7.24.2.1 

7/8/08  5:43  PM 

2079322 

7.24.2.1 

7/8/08  7:11  PM 

2079355 

7.24.2.1 

7/8/08  8:11  PM 

2080021 

7.24.2.1 

7/9/08  8:59  AM 

2080828 

7.24.2.1 

7/9/08  2:41  PM 

2082162 

7.24.2.1 

7/10/08  9:53  AM 

2088720 

7.24.2.1 

7/14/08  3:49  PM 

2088924 

7.24.2.1 

7/14/08  6:37  PM 

2309365 

7.24.2.1 

8/28/08  11:36  AM 

2427515 

7.24.2.1 

10/17/08  11:38  AM 

2704194 

7.24.2.1 

2/19/09  5:10  PM 

3847225 

7.24.2.1 

2/26/10  9:52  AM 

3857892 

7.24.2.1 

3/15/10  2:12  PM 
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UNCLASSIFIED//FOR  OFFICIAL  USE  ONLY 

ATTESTATION  CERTIFICATE 


This  document  is  intended  to  meet  the  requirements  set  forth  in  Military  Rules  of  Evidence  Rule 

902(11),  addressing  certified  records  of  regularly  conducted  activity. 


I  swear  or  affirm  that  each  of  the  following  is  true  regarding  the  attached  records,  to  the  best  of 
my  knowledge  and  belief: 

1 .  lam  the  custodian  of  these  records,  or  I  am  an  employee  familiar  with  the  manner  and 
process  in  which  these  records  are  created  and  maintained,  by  virtue  of  my  duties  and 
responsibilities: 

2.  The  records  were  made  at  or  near  the  time  of  the  occurrence  of  the  matters  set  forth  by, 
or  from  information  transmitted  by,  a  person  with  knowledge  of  these  matters; 

3.  The  records  were  kept  in  the  course  of  regularly  conducted  business  activity; 

4.  The  records  were  made  by  the  regularly  conducted  activity  as  a  regular  practice;  and 

5.  The  records  are  a  true,  accurate,  and  complete  copy  of  the  original  documents. 


List  of  attached  records: 

The  following  ACIC  log  files,  with  a  date  range  of  18-Nov-09  to  17-Mar-10: 


ex091119.log 

ex091201.log 

ex091214.log 

ex091217.log 

ex091221.log 

ex091229.log 

ex100207.log 

ex100209.log 


ex100211.log 

ex100214.log 

ex100301.log 

ex100302.log 

ex100308.log 

ex100315.log 

ex100316.log 

ex100317.log 


Organization 


/nz  754  /7ijy 


Signature 


Print  or  Type  Name 


Business  Telephone 

3  01-  &  7  7'  3*b 


Wj'/jc,  0 


Sy$ -Jz'/t 


Business  Address 

JOOO  «  ZyJe 


Subscribed  and  sworn  to  before  a  notary  public,  this  j’/.Z  day 


My  commission  spires  on: 


M«foh  29,  2014 


UNCIASSIFIED//FOR  OFFICIAL  USE  ONLY 
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Prosecution  Exhibit  64 
have  been  entered  into 
the  record  as  a  CD/DVD 
and  will  be  maintained 
with  the  original 
Record  of  Trial 


o 


Q 


Prosecution  Exhibit  65 
14  pages 
classified 
"SECRET” 

ordered  sealed  for  Reason  2 
Military  Judge’s  Seal  Order 
dated  20  August  2013 
stored  in  the  classified 
supplement  to  the  original 
Record  of  Trial 


o 


o 


Prosecution  Exhibit  66 
1  CD 
classified 
"SECRET" 

ordered  sealed  for  Reason  2 
Military  Judge's  Seal  Order 
dated  20  August  2013 
stored  in  the  classified 
supplement  to  the  original 
Record  of  Trial 


o 


Prosecution  Exhibit  67 
1  page 
classified 
"SECRET" 

ordered  sealed  for  Reason  2 
Military  Judge’s  Seal  Order 
dated  20  August  2013 
stored  in  the  classified 
supplement  to  the  original 
Record  of  Trial 


o 


Prosecution  Exhibit  68 
1  CD 
classified 
’’SECRET” 

ordered  sealed  for  Reason  2 
Military  Judge's  Seal  Order 
dated  20  August  2013 
stored  in  the  classified 
supplement  to  the  original 
Record  of  Trial 
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UNITED  STATES  OF  AMERICA 


Manning,  Bradley  E. 

PFC,  U.S.  Army, 

HHC,  U.S.  Army  Garrison, 

Joint  Base  Myer-Henderson  Hall 
Fort  Myer,  Virginia  22211 


) 

) 

) 

) 

) 


STIPULATION  OF 
EXPECTED  TESTIMONY 


) 

) 

) 


Mr.  Stephen  Buchanan 


3.  June  2013 


It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Mr.  Stephen 
Buchanan  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this  court-martial,  he 
would  testify  substantially  as  follows: 

1 .  I  work  as  a  contractor  for  the  National  Security  Agency  (NSA).  1  provide  support  to  Intelink. 

Intelink  is  a  software  suite  operating  on  U.S.  Government  private  networks  which  provides  Internet-like 
services  to  enable  collaboration  between  intelligence  agencies  within  the  U.S.  Government.  Primarily, 
it  includes  a  web-based  search  engine  of  UNCLASSIFIED,  SECRET,  and  TOP  SECRET  information 
systems.  It  hosts  blogs  and  allows  for  messaging,  sharing  files,  and  searching  for  UNCLASSIFIED, 
SECRET,  and  TOP  SECRET  information  across  agencies,  to  include  Intellipedia  for  online 
collaboration  and  Passport  account  management.  In  my  current  position,  I  provide  security  for  Intelink 
and  serve  as  the  Information  Assurance  (IA)  Manager.  This  means  that  I  make  sure  the  systems  work  as 
they  were  intended.  I  work  to  ensure  the  systems  are  properly  maintained  and  guard  against  their 
misuse.  I  have  worked  in  this  role  for  five  years. 

2.  Prior  to  holding  my  current  position,  from  1999-2008, 1  was  an  Information  System  Security 
Engineer  for  Intelink.  In  this  position,  I  made  sure  the  systems  were  built  correctly  to  perform  their 
intended  connection,  search,  and  storage  functions.  Before  that,  I  worked  in  systems  support  within  the 
Intelligence  Community  (IC).  In  total,  I  have  worked  in  the  IA  industry  supporting  different  agencies  in 
the  IC  since  1985. 

3.  I  have  two  primary  I A  and  information  systems  certifications.  First,  I  am  a  Certified  Information 
Systems  Security  Professional  (CISSP).  This  means  I  have  heightened  experience  in  and  knowledge  of 
information  security.  CISSP  is  a  globally  recognized  standard  of  achievement  that  confirms  an 
individual’s  knowledge  in  the  field  of  information  security.  The  training  covers  all  parts  of  information 
security,  including  personal  and  building  security  aspects.  CISSP  indicates  that  an  individual  has 
attained  specialized  knowledge  in  the  field  of  IA  in  accordance  with  standards  articulated  in  Department 
of  Defense  Directive  8570.  In  addition  to  CISSP,  I  also  have  the  Information  Technology  Infrastructure 
Library  (IT1L)  Foundation  certification.  ITIL  is  the  most  widely  adopted  framework  for  IT  Service 
Management  in  the  world.  ITIL  provides  a  framework  on  technology  systems  management,  particularly 
on  how  to  build  information  management  systems  and  manage  them  with  a  specific  process. 

4.  In  my  role  as  IA  Manager  for  Intelink,  I  am  familiar  with  the  audit  logs  created  by  Intelink.  The 
Intelink  system  obtains,  manages,  and  stores  its  own  audit  data  through  the  course  of  its  day-to-day 
operations.  This  data  can  be  used  to  respond  to  user  inquiries,  troubleshoot  technical  problems,  and 
monitor  and  maintain  Intelink  usage  and  performance.  These  logs  are  created  anytime  anyone  makes  a 
connection  with  a  computer  system.  The  system  detects  these  connections  from  servers  -  tracking  the 
workstation  making  the  request  of  the  system,  how  the  request  routes  through  the  system,  and  where  the 
request  ultimately  gets  the  information.  These  connection  loes  are  made  in  real  time  and  stored  in  data 
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files  every  hour.  They  are  computer-generated  and  only  a  very  limited  number  people  have  access  to 
them. 

5.  Intelink  logs  contain  audit  data  captured  from  proxy  servers  that  control  access  to  Intelink  services 
and  show  the  activities  of  users  and  systems  that  connect  to  and  use  the  Intelink  services  while  on 
classified  or  unclassified  networks.  We  know  the  Intelink  audit  logs  are  accurate  for  several  reasons. 
First,  they  write  to  a  secure  server.  Second,  only  limited  personnel  have  access  to  them.  Third,  they  are 
reviewed  by  our  team  at  least  on  a  weekly  basis  to  ensure  that  the  reporting  process  is  occurring 
properly  -  meaning  to  ensure  that  the  log  data  is  being  written  properly.  The  log  data  is  useful  to  us 
because  it  shows  us  how  our  services  are  being  used,  whether  Intelink  services  are  functioning  properly, 
and  whether  adjustments  should  be  made.  We  can  also  use  the  data  to  solve  technical  issues,  determine 
security  risks,  and  review  data  trends  that  help  us  develop  our  management  strategies.  We  can  tell  if 
there  are  errors  because  information  the  logs  normally  collect  would  be  missing.  If  a  data  file  had  been 
corrupted  while  being  written  it  would  not  open.  Missing  or  corrupt  data  files  are  regenerated  from  the 
system.  So,  in  short,  the  data  these  system  logs  have  captured  is  complete  and  accurate. 

6.  I  am  involved  in  this  case  because  we  received  a  request  to  pull  Intelink  audit  logs  given  Intelink 
could  have  been  used  to  gather  information  that  was  ultimately  compromised.  At  that  time,  we  did  not 
track  users  by  log-in  identifiers;  instead,  we  tracked  usage  by  IP  address.  One  of  the  log  data  requests 
was  for  the  Secure  Internet  Protocol  Routing  Network  (SIPRNET)  IP  addresses  22.225.41 .22  and 
22.225.41 .40  from  October  2009  to  June  2010.  Intelink  audit  logs  are  stored  on  a  Linux-based  system. 
To  pull  the  requested  log,  I  performed  a  Linux  search  on  the  server.  This  means  that  I  issued  a  line 
command  telling  the  server  what  information  I  wanted  to  read.  When  the  system  returns  the  data,  the 
system  writes  the  data  to  a  file.  In  reviewing  the  files  returned,  I  could  find  no  relevant  information  in 
the  data  files  for  October  2009  or  June  2010.  However,  there  was  activity  recorded  for  the  relevant  IP 
addresses  for  the  months  November  2009  through  and  including  May  2010.  I  double  checked  to  make 
sure  there  was  no  activity  from  the  relevant  IP  addresses  during  October  2009  and  then  ran  the  search 
again  to  verify  results.  The  results  of  the  second  search  matched  the  results  of  my  original  search.  The 
results  are  saved  automatically  as  a  .txt  file  so  that  they  are  readable  to  the  person  running  the  query. 
When  I  received  the  response  to  my  IP/date  query,  I  opened  the  file  to  make  sure  it  was  readable  and 
that  all  the  data  had  been  reported  properly.  I  did  not  alter  the  file  in  any  way.  I  burned  the  file  to  a  CD 
and  then  turned  it  over  to  Special  Agent  Mark  Mander  with  Army  CID.  These  logs  are  on  the  CD 
marked  Prosecution  Exhibit  (PE)  61  for  identification.  The  filenames  of  the  Intelink  logs  that  I 
attested  to  showing  activity  for  IP  address  22.225.41 .22  are  the  following:  JF10_22.log; 

MAM10_22.txt;  and  ND09_22.log.  The  filenames  of  the  Intelink  logs  that  I  attested  to  showing  activity 
for  IP  address  22.225.41.40  are  the  following:  JF10_40.log;  MAM10_40.txt;  ND09_40.log.  The  file 
“JF10_22.log”  contains  audit  logs  capturing  activity  for  the  22.225.41.22  IP  address  in  January  and 
February  2010.  The  file  “MAM10_22.txt”  contains  audit  logs  capturing  activity  for  the  22.225.41.22  IP 
address  in  March,  April,  and  May  2010.  The  file  “ND09_22.log”  contains  audit  logs  capturing  activity 
for  the  22.225.41.22  IP  address  in  November  and  December  2009.  I  used  the  same  filename  structure  to 
capture  the  contents  of  the  audit  logs  associated  with  the  22.225.41 .40  IP  address. 

7.  The  particular  log  data  I  captured  reported  several  things.  I  will  use  the  following  discrete  line  of 
data  to  show,  by  way  of  example,  what  the  Intelink  logs  mean: 

22.225.41.40  -  -  [29/Nov/2009:04:50: 10+0000]  "GET 

/intelink.  wip.ismc.sgov.gov/WebResource.axd?d=az7kDRRcqCltV13zGP2 1  nQ2&t=63362775675703 1 
250  HTTP/1. 1"  200  6665 
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"http://www.intelink.sgov.gov/search/default.aspx?q=hqda" 
"Mozilla/5.0%20(Windows;%20U;%20Windows%20NT%205. 1  ;%20en- 
US;%20rv:l  .9. 1 .2)%20Gecko/20090729%20Firefox/3.5.2" 

8.  The  significance  of  the  above  line  that  was  pulled  from  Intelink  is  the  following: 

(a)  The  “22.225.41 .40”  is  the  IP  address.  This  indicates  that  a  computer  with  that  IP  address 
made  the  request  for  information.  Essentially,  it  provides  an  electronic  location  for  the  user  using 
Intelink. 

(b)  The  “29/Nov/2009:04:50: 10+0000”  is  the  date/time  group.  The  time  zone  is  reflected  as  the 
offset  from  Greenwich  Mean  Time  (GMT).  In  this  case,  “+0000”  shows  no  offset. 

(c)  The  next  entry  is  the  action  the  user  took.  In  this  case,  for  example,  you  see  “GET”.  This 
command  indicates  the  user  is  seeking  particular  information  on  SIPRNET  through  Intelink.  This  action 
reflects  the  user  clicking  on  something  in  the  website. 

(d)  The  next  entry  is  the  page  being  requested  by  the  action  above.  Here,  it  is 
“/intelink.wip.ismc.sgov.gov/WebResource.axd?d=az7kDRRcqCltV13zGP21  nQ2&t=63362775675703 
1250  HTTP/1.1”.  Intelink.wip.ismc.sgov.gov  is  the  registered  name  for  Intelink,  which  is  on  the 
SIPRNET,  a  secret  government  system. 

(e)  The  code  of  numbers  after  the  information  tells  you  whether  the  user’s  request  was 
successful  and  to  what  degree.  For  example,  the  code  “200”  after  particular  information  indicates  that 
an  internet  home  page  (HTTP)  was  successfully  accessed. 

(f)  The  “6665”  is  the  size  in  bytes  of  the  information  returned  by  the  query. 

(g)  The  entry  "http://www.intelink.sgov.gov/search/default.aspx?q=hqda"  tells  me  that  the  user 
searched  for  the  term  “hqda”  on  intelink.sgov.gov.  “www.intelink.sgov.gov”  is  the  SIPRNET  internet 
address  for  the  secret  government  system  on  which  Intelink  sits.  In  this  entry,  “search”  is  the  specific 
Intelink  service  used  and  “q=hqda”  represents  the  search  query  entered  into  the  search  box  on  the 
Intelink  webpage  on  the  specific  computer  with  the  IP  address  listed  above. 

(h)  The  entry  "Mozilla/5.0”  tells  me  that  the  user  of  the  SIPRNET  computer  with  an  IP  address 
of  “22.225.41 .40”  was  using  version  5  of  the  Mozilla  internet  browser.  Mozilla  is  a  company  that 
produced  internet  browser  software  similar  to  Microsoft  Internet  Explorer  or  Apple  Safari. 

(i)  The  entry  “%20”  represents  a  space  in  the  line. 

(j)  The  entry  “(Windows;%20U;%20Windows%20NT%205. 1  ;%20en-US;20rv:  1 .9. 1 .6)”  tells 
me  the  user  of  the  SIPRNET  computer  with  an  IP  address  of  “22.225.41 .40”  was  using  a  Windows  NT 
workstation  computer. 

(k)  The  entry  “%20Gecko/20090729%20Firefox/3.5.2"  tells  me  that  the  user  of  the 
SIPRNET  computer  with  an  IP  address  of  “22.225.41 .40”  was  using  a  version  of  the  Firefox  internet 
browser,  version  number  “3.5.2”.  Firefox  is  the  specific  name  of  the  internet  web  browser  program 
produced  by  the  Mozilla  company. 
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9.  These  Intelink  logs  only  audit  what  happens  on  the  Intelink  systems.  So,  they  can  only  tell  you  what 
a  particular  user  IP  address  was  doing  when  connecting  with  the  Intelink  system.  It  would  reveal 
Intellipedia  searches  and  other  ways  the  user  IP  address  used  Intelink  services  by  showing  what  files 
within  Intelink  that  IP  address  accessed.  At  the  time,  users  were  not  required  to  have  Intelink  Passport 
accounts  to  use  most  Intelink  services,  including  the  SIPRNET  internet  search  and  browsing.  A 
SIPRNET  Intelink  Passport  account  is  a  username  and  password  account  established  to  allow  access  to 
some  government  websites.  It  is  one  of  the  many  applications  Intelink  uses  on  its  own  internal  systems 
to  track  what  a  user  accesses.  A  user  would  need  an  account  if  he  wanted  to  contribute  to  Intelink 
services  or  access  certain  websites  or  databases  on  SIPRNET,  but  not  just  to  conduct  searches.  To 
create  an  account,  a  user  would  have  to  be  on  the  SIPRNET,  go  to  the  account  creation  page,  and  insert 
personal  information  such  as  name,  contact,  and  organizational  information.  The  user  is  then  notified 
via  SIPRNET  email  with  a  code  to  use  the  first  time  he  accesses  the  site.  Other  government 
organizations  with  websites  and  databases  on  SIPRNET,  use  SIPRNET  Intelink  Passport  accounts  to 
verify  users  before  any  user  may  access  their  information  on  SIPRNET. 

10.  Our  Intelink  organization  maintains  and  stores  the  Intelink  Passport  account  profiles  of  registered 
Intelink  users.  In  response  to  a  request  by  Army  CID,  I  looked  Bradley  Manning  up  in  our  system. 
Someone  with  the  name  “Manning,  Bradley  E”  did  have  an  account.  The  user  name  of  the  individual 
was  “bradley.e.manning”.  According  to  the  user  account,  “bradley.e.manning”  was  in  the  military,  his 
pay  grade  was  E-4,  and  used  an  email  address  of  “bradley.manning@us.army.smil.mil”.  The  username 
is  automatically  generated  based  on  the  common  name  which  is  entered  by  the  individual  setting  up  the 
account.  The  user  information  includes  each  identifying  factor  (such  as  name,  contact  information, 
security  questions  and  answers)  that  the  user  inputted  into  the  system  at  the  time  of  account  creation. 
According  to  the  Passport  Account,  the  last  time  that  the  user  logged  in  was  27  April  2010  at  1 805:46 
Zulu  time.  According  to  the  Passport  Account,  the  registration  date  was  1 1  October  2008.  The  Passport 
Account  information  is  marked  as  PE  62  for  identification. 

11.  I  signed  an  attestation  on  22  June  2012  (BATES  Number:  00505257)  attesting  to  the  authenticity  of 
the  what  have  been  marked  as  PE  61  and  PE  62  for  identification  and  are  the  provided  logs  and  the 
Intelink  Passport  account  information  for  “bradley.e.manning”,  contained  in  the  file  “manning. ldif\ 
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It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Mr.  Peter 
Artale  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this  court-martial, 
he  would  testify  substantially  as  follows: 

1.  I  am  currently  employed  by  the  Army  Counter-Intelligence  Center  (ACIC)  with  the  902d 
Military  Intelligence  Group  on  Fort  Meade,  Maryland.  ACIC  produces  finished  intelligence 
products  for  the  intelligence  community.  It  often  produces  these  products  by  fulfilling  requests 
for  information  from  the  Army.  It  takes  finished  products  and  disseminates  them  on  SIPRNET 
and  JWICS.  I  am  a  Web  Developer  and  the  Team  Lead  of  a  team  of  three  software  developers.  I 
have  worked  in  this  capacity  and  for  ACIC  for  eight  years.  Prior  to  this  position,  I  worked  in 
web  development  for  the  Defense  Intelligence  Agency  (DIA)  for  one  year,  then  with  Booz  Allen 
on  a  one  year  contract  with  National  Geo-Spatial  Agency.  I  was  a  software  development 
engineer  and  programmer  in  the  Air  Force  for  twenty-one  years.  I  retired  from  the  Air  Force  as  a 
Master  Sergeant.  I  also  have  an  Associate’s  degree  in  Computer  Science. 

2.  I  first  became  involved  in  this  case  on  approximately  17  March  2010  after  my  Branch  Chief, 
Ms.  Jessica  Johnson,  alerted  me  to  the  compromise  of  U.S.  Government  information.  Ms. 
Johnson  asked  if  I  could  use  our  system  to  see  who  had  viewed  a  certain  product.  I  could,  as  I 
had  developed  custom  software  to  track  access  to  particular  products.  This  software  captures  the 
viewer  credentials  by  recording  the  Internet  Protocol  (IP)  address  and  date/time  of  access  for 
each  user  who  views  our  ACIC  work  product.  It  then  assigns  a  unique  report  key  to  the  access 
event.  This  occurred  before  we  were  contacted  by  law  enforcement  in  this  case,  as  ACIC  was 
notified  of  the  compromise  of  one  of  our  products  in  March  2010. 

3.  An  IP  address  is  part  of  the  Transmission  Control  Protocol/Intemet  Protocol  (TCP/IP).  A 
protocol  is  the  standard  language  used  to  communicate  over  a  network.  TCP/IP  is  the  most 
common  “language”  that  computers  use  to  communicate  over  the  Internet.  And  so,  an  IP  address 
is  the  method  of  identifying  a  specific  computer  on  a  network.  Only  one  computer  can  be 
assigned  a  specific  IP  address  at  one  time.  Knowing  an  IP  address  allows  us  to  know  which 
computer  on  a  given  network  used  our  products.  Our  software  is  a  custom  product  which,  in 
capturing  this  user  and  access  information,  produces  metrics  which  can  be  used  to  see  which  of 
our  products  are  most  popular  and  how  our  products  are  used.  The  software  only  logged  views 
of  the  document  in  the  “.asp”  format  which  is  the  standard  way  the  product  would  appear  on  the 
website,  “.asp”  is  a  common  file  format  for  web  pages.  This  means  that  the  software  only 
logged  views  of  the  web  version  of  the  document  and  not  the  views  of  the  “.pdf’  or  “.doc” 
version  of  the  document.  Likewise,  the  logs  do  not  indicate  whether  the  document  was  printed 
or  saved,  nor  do  they  indicate  how  long  an  individual  looked  at  the  document,  if  at  all.  We 
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collect  this  data  normally  so  we  can  analyze  it  to  see  where  we  need  to  allocate  our  development 
and  maintenance  resources  to  best  support  our  internal  and  external  customers.  The  information 
produced  by  the  tracking  software  is,  therefore,  called  metrics. 

4.  The  metrics  are  pulled  when  an  engineer  runs  a  certain  query.  These  queries  can  be 
customized  to  pull  only  the  information  the  developer  wants  to  see.  In  this  case,  we  were 
specifically  interested  in  tracking  every  access  to  a  product  titled  “WikiLeaks.org  -  An  Online 
Reference  to  Foreign  Intelligence  Services,  Insurgents,  or  Terrorists  Groups?”  Therefore,  I 
searched  the  product  by  determining  and  searching  for  its  product  identification  number,  which 
is  “RB08-0617”.  The  product  identification  number,  which  is  on  the  document  itself  and 
assigned  internally  by  ACIC,  is  a  identifier  unique  to  each  ACIC  product. 

5.  This  ACIC  product  “WikiLeaks.org  -  An  Online  Reference  to  Foreign  Intelligence  Services, 
Insurgents,  or  Terrorists  Groups?”  is  housed  on  our  website  at  “acic.north- 
inscom.army.smil.mil”  and  is  accessible  only  via  a  classified  network,  such  as  SIPRNET.  I 
wrote  a  custom  query,  by  IP  address  and  visit  time,  to  see  every  time  this  particular  document 
was  pulled  from  the  web  server.  A  custom  query  is  a  method  of  pulling  information  from  a 
database.  I  pulled  these  metrics  from  my  own  workstation.  The  data  is  automatically  pulled  into 
a  Structured  Query  Language  (SQL)  table.  SQL  is  a  computer  language  for  extracting  and 
inserting  information  in  a  database.  It  is  a  standard  computer  language  to  interact  with 
databases.  Printouts  of  SQL  queries  look  like  an  excel  spreadsheet  in  that  it  has  columns  and 
rows;  however,  it  is  not  as  easy  to  search  and  organize  as  an  excel  spreadsheet.  I,  therefore, 
digitally  cut  and  pasted  the  information  from  the  SQL  table  into  an  excel  spreadsheet  and  saved 
the  data  to  my  desktop.  I  then  organized  the  spreadsheets  in  two  separate  manners.  The  first  set 
is  organized  by  visit  date.  The  second  is  organized  by  IP  address  and  then  visit  date.  I  did  not 
alter  the  content  of  the  data  in  any  way  when  searching  for  the  data,  moving  it  from  the  SQL 
table  to  the  excel  spreadsheet,  or  while  in  the  excel  spreadsheet.  I  moved  the  information  and 
organized  it  in  two  separate  manners  because  it  was  easier  to  read.  I  then  emailed  the  metric  data 
to  my  leadership  at  ACIC  as  requested.  The  data  is  stored  securely  on  our  servers  and  is  only 
accessible  to  the  other  three  web  developers  on  my  team.  I  have  no  reason  to  believe  anyone 
else  would  have  modified  the  logs  in  any  way.  This  occurred  before  we  were  contacted  by 
investigators  involved  in  this  case,  as  ACIC  was  notified  of  the  compromise  of  one  of  our 
products  in  March  2010. 

6.  In  this  case,  the  ACIC  document  concerned  was  posted  in  2008.  I  pulled  the  metric  data 
tracking  access  to  this  document  on  17  March  2010.  The  most  recent  access  date  listed  in  the 
metric  data  is  16  March  2010.  The  data  returned  included  view  hits  on  the  document  up  until  the 
morning  I  ran  the  data  query.  The  logs  are  broken  down  by  record  key,  IP  address,  and  visit 
date.  Specifically,  the  metrics  tell  me  the  following  about  the  user  IP  addresses  who  opened  the 
website  containing  the  product  with  a  product  identification  number  of  RB08-0617  in  the  web 
page  format:  a  user  with  the  IP  address  22.225.41 .40  opened  the  web  page  on  1  December  2009 
at  6:3 1  PM;  a  user  with  the  IP  address  22.225.41.40  opened  the  web  page  on  29  December  2009 
at  2:40  PM;  a  user  with  the  IP  address  22.225.41.40  opened  the  web  page  on  1  March  2010  at 
6:40  PM;  and  a  user  with  the  IP  address  22.225.41 .22  opened  the  web  page  on  7  March  2010  at 
11:31  PM. 


2 


w 


w 


7.  The  data  for  these  metrics  is  collected  by  our  custom  software  automatically  when  someone 
clicks  on  one  of  our  links  to  use  our  ACIC  work  product.  This  system  captures  the  time,  date, 
and  IP  address  as  well  as  which  product  is  being  accessed  and  served  out  to  the  requester.  We 
know  this  data  is  accurate  because  there  is  no  human  intervention  into  the  process  and  because 
views  are  logged  using  specific  codes  and  for  specific  products.  Finally,  while  it  is  possible  to 
make  manual  insertions  in  metric  data  output,  those  insertions  cannot  be  backdated  or  over¬ 
written.  This  means  whatever  output  data  the  system  produces  cannot  itself  be  altered. 
Furthermore,  at  the  time  I  pulled  these  logs,  I  did  not  know  to  whom  the  IP  addresses  were 
attached  or  the  reasons  for  which  the  data  was  being  pulled.  I  had  neither  the  motivation  nor 
knowledge  required  to  alter  the  document.  At  no  point  prior  to  pulling  the  metric  log  data,  while 
pulling  the  information,  or  after  securing  it,  did  I  ever  alter  the  data  in  any  way. 

8.  My  Branch  Chief  forwarded  my  email  with  these  metrics  to  Mr.  Winston  Budram,  S-6  and 
Chief  Information  Officer  of  the  902d  MI  Group.  Mr.  Budram  forwarded  the  metrics  to 
investigators  after  they  contacted  our  office.  Prosecution  Exhibit  (PE)  63  for  Identification  is 
the  paper  copy  of  these  logs.  PE  63  for  ID  is  a  printout  of  the  complete  logs  that  I  pulled.  I  put 
the  title  “Views  of  ACIC  Product  RB08-0617.asp”  on  the  top  of  the  excel  spreadsheet.  The  title 
is  based  on  the  ACIC  product  identification  number  and  the  format  of  the  document.  On  the  left 
side  of  every  page  are  the  logs  that  I  pulled  and  organized  by  visit  date.  On  the  right  side  of 
every  page  are  the  logs  that  I  pulled  and  organized  by  IP  Address  and  then  visit  date.  I  believe 
the  information  on  the  top  of  the  page  (“Views  of  ACIC  Product  RB08-0617.asp”;  “Record 
Key”;  “IP  Address”;  and  “Visit  Date”),  which  is  the  same  as  the  title  and  heading  information  on 
the  spreadsheets  that  I  pulled,  was  automatically  produced  by  excel  when  the  spreadsheets  were 
printed. 

9.  I  am  the  custodian  of  the  records  marked  as  PE  63  for  ID  and  an  employee  familiar  with  the 
manner  and  process  in  which  these  records  are  created  and  maintained,  by  virtue  of  my  duties 
and  responsibilities.  PE  63  for  ID  was  made  at  or  near  the  time  of  the  occurrences  of  the  matters 
set  forth  by  or  from  information  transmitted  by,  people  with  knowledge  of  these  matters.  PE  63 
for  ID  was  kept  in  the  course  of  regularly  conducted  business  activity.  It  was  the  regular 
practice  of  the  business  activity  to  make  the  records.  The  records  marked  as  PE  63  for  ID  are  a 
true,  accurate,  and  complete  copy  of  the  original  documents. 
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UNITED  STATES  OF  AMERICA 


Manning,  Bradley  E. 

PFC,  U.S.  Army, 

HHC,  U.S.  Army  Garrison, 

Joint  Base  Myer-Henderson  Hall 
Fort  Myer,  Virginia  22211 

It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Mr.  Sean 
Chamberlin  were  present  to  testily  during  the  merits  and  pre-sentencing  phases  of  this  court- 
martial,  he  would  testify  substantially  as  follows: 

1 . 1  am  a  Systems  Administrator  for  the  S6  shop  of  the  902d  Military  Intelligence  (MI)  Group  on 
Fort  Meade,  Maryland.  The  902d  MI  Group  performs  counterintelligence  functions.  My  section 
is  responsible  for  providing  IT  support  for  all  unit  servers.  In  this  capacity,  I  build  new  servers 
and  maintain  old  ones.  1  have  worked  in  this  capacity  for  ten  years.  Before  that  I  was  active 
duty  military  for  nine  years  and  was  a  Staff  Sergeant  when  I  left  the  Army.  For  the  last  five  of 
my  nine  years  of  active  duty  service,  I  had  the  Military  Occupational  Specialty  (MOS)  33W, 
which  is  Intercept  Electronic  Warfare  Systems  Repair.  In  that  capacity,  I  was  a  systems 
administrator.  To  fulfill  my  current  function,  I  have  received  Security  Plus  training  and  have 
certifications  in  numerous  Microsoft  server  types.  I  also  hold  a  Bachelor’s  degree  in  Information 
Systems  from  the  University  of  Phoenix. 

2.  I  first  became  involved  in  the  present  case  in  July  of  201 1  when  my  supervisor  Mr.  Robert 
Conner,  the  Site  Lead  for  Information  Technology  at  the  902d  MI  Group,  requested  that  I  pull 
Microsoft  Internet  Information  Services  (MIIS)  web  server  audit  event  logs  for  the  contacting  IP 
addresses  22.225.41.22  and  22.225.41.40  between  the  dates  November  2009  and  May  2010. 

MIIS  are  application  logs  that  are  specific  to  the  web  server.  Audit  logs  are  a  record  of  the 
activity  that  occurs  on  the  server  and  enable  system  administrators  like  me  to  track  what  users  do 
on  the  website.  Audit  logs  contain  data  that  is  automatically  written  to  them  on  a  daily  basis. 

Here,  the  audit  logs  record  file  activity  on  a  web  server  from  the  United  States  Government 
computer  assigned  to  the  IP  address  199.32.48.154,  is  a  computer  dedicated  to  processing 
classified  information  at  the  SECRET  level.  This  is  the  IP  address  for  the  ACIC  website  on 
SIPRNET. 

3.  This  data  shows  what  IP  addresses  accessed  our  system  within  that  date  range.  An  IP  address 
is  part  of  the  Transmission  Control  Protocol/Intemet  Protocol  (TCP/IP).  A  protocol  is  the 
standard  language  used  to  communicate  over  a  network.  TCP/IP  is  the  most  common 
“language”  that  computers  use  to  communicate  over  the  Internet.  An  IP  address  is  the  method  of 
identifying  a  specific  computer  on  a  network. 

4.  An  IP  address  allows  us  to  know  which  computer  on  a  given  network  accessed  our  server.  In 
this  case,  I  pulled  eighteen  log  files  for  the  above  IP  address  and  date  range.  The  files  are  named 
the  following:  ex091119.log;  ex091201.log;  ex091214.log;  ex091217.log;  ex091221.log; 
ex091229.log;  exl00207.log;  exl00209.log;  ex  10021 1  .log;  exl00214.log;  exl00301.log; 
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exl00302.log;  exl00308.log;  exl00315.log;  exl00316.log;  exl00317.log,  which  is  the 
automatic  naming  convention  of  Microsoft  based  on  date.  The  files  display  in  text  format.  The 
files  contain  86  entries  for  the  IP  address  of  22.225.41 .22  and  28  entries  for  the  IP  address  of 
22.225.41.40.  The  first  entry  for  22.225.41.22  or  22.225.41.40  is  19  November  ^ 

5.  These  logs  are  on  our  external  web  server,  which  is  one  of  the  servers  I  am  responsible  for 
maintaining.  The  web  server  and  the  logs  are  located  in  what  is  commonly  referred  to  as  the 
“DMZ”,  which  is  the  area  between  our  internal  system  and  the  SIPRNET.  I  pulled  the  data  using 
a  search  window  and  searching  the  IP  address  for  the  given  date  range.  Then  I  searched  for  the 
two  requested  IP  addresses.  I  then  put  the  files  into  an  internal  investigation  folder  and  had  them 
burned  to  a  disc.  I  looked  at  the  disc  to  verify  that  they  were  the  logs  that  I  pulled. 

6.  I  am  familiar  with  these  logs  because  of  my  work  as  a  systems  administrator.  After  I  pulled 
the  logs,  they  were  burned  onto  a  rewritable  disc  by  another  individual.  I  reviewed  the  contents 
of  the  disc  to  ensure  it  contained  the  logs  that  I  pulled.  The  disc  labeled  “Log  Files  902nd  MI 
201 1-0006”  contain  the  logs  that  I  pulled.  Prosecution  Exhibit  64  for  Identification  is  a  copy 
of  this  disc.  I  attested  to  the  authenticity  of  these  logs  on  21  June  2012  (BATES  number: 

00449439).  I  pulled  the  logs  from  the  server  and  did  not  alter  the  content  of  the  logs  in  any  way. 

I  have  no  reason  to  believe  anyone  else  would  have  modified  the  logs  in  any  way  while  they  are 
on  the  server  as  permissions  to  the  “DMZ”  are  very  limited. 
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UNITED  STATES  OF  AMERICA 


Manning,  Bradley  E. 

PFC,  U.S.  Army, 

HHC,  U.S.  Army  Garrison, 

Joint  Base  Myer-Henderson  Hall 
Fort  Myer,  Virginia  22211 

It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Special 
Agent  John  Wilbur  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this 
court-martial,  he  would  testify  substantially  as  follows: 

1 .  I  am  currently  the  senior  Special  Agent  (SA)  at  the  computer  forensic  unit  in  the  office  of  the 
Special  Inspector  General  for  the  Troubled  Asset  Relief  Program  (TARP)  at  the  Treasury 
Department.  In  this  position,  I  collect  and  examine  digital  evidence  to  support  criminal 
investigations.  I  have  held  this  position  since  January  of  2012.  Previously,  I  was  an  SA  for  the 
Department  of  the  Army’s  Criminal  Investigation  Command  (CID),  Computer  Crimes  and 
Investigative  Unit  (CCIU).  I  held  that  position  from  June  of  2010  to  January  of  2012.  As  a 
CCIU  SA,  1  investigated  the  unauthorized  exfiltration  of  classified  and  sensitive  data  and  the  loss 
of  personally  identifiable  information  (PII)  data  worldwide.  I  also  investigated  intrusions  into 
Army  computer  systems.  I  currently  have  over  twenty  years  of  law  enforcement  experience, 
fifteen  of  which  have  been  primarily  devoted  to  conducting  complex  criminal  and  administrative 
cyber-related  investigations. 

2.  I  have  had  substantial  training  to  qualify  me  for  my  position.  I  received  Department  of  State 
law  enforcement  training  in  2005,  CID  law  enforcement  training  in  2002,  and  Police  Officer 
training  in  1990.  In  addition  to  the  evidence-handling  training  included  in  these  courses,  I  also 
attended  the  “Advanced  Crime  Scene  Investigations”  course  at  the  Federal  Law  Enforcement 
Training  Center  in  Glynco,  Georgia  (May  2008).  At  the  time  of  my  involvement  in  this 
investigation,  my  cyber  security  and  forensic  evidence  experience  was  extensive.  Among  other 
courses,  I  had  attended  multiple  courses  put  on  by  Guidance  Software,  the  makers  of  the  EnCase 
forensic  tool;  I  had  attended  the  “Seized  Computer  Evidence  Recovery  Specialist  Certification 
Course”  (October  2001)  at  the  Federal  Law  Enforcement  Training  Center;  and  I  had  attended 
“FT210,  Windows  Forensic  Examinations”  through  the  Defense  Cyber  Investigations  Training 
Academy  (DCITA).  Further,  I  had  obtained  training  in:  “Law  Enforcement  Technology”  (April 
2002)  through  the  University  of  Pittsburgh;  “Advanced  Data  Recovery”  (March  2001)  and 
“Basic  Data  Recovery”  (January  2000)  at  the  National  White  Collar  Crime  Center;  “Operational 
Information  Security  I  and  II”  (July  2000)  at  the  Defense  Information  Security  Agency;  and 
“Computer  Search  and  Seizure”  (June  2000)  through  the  FBI  Academy.  I  have  continued  to 
develop  my  skills  and  expertise.  I  have  attended  training  in  “Windows  7  Forensics”  at  Access 
Data  (December  2010),  the  “Computer  Incident  Response  Course”  (April  2011)  and  a  course  on 
“Introduction  to  Networks  and  Computer  Hardware”  (December  2010)  through  DCITA. 

3.  My  role  in  this  case  was  to  assist  in  witness  interviewing  and  data  collection.  I  collected 
evidence  from  the  United  States  Central  Command  (USCENTCOM)  server  and  from  the 
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Department  of  State  (DoS)  server.  In  collecting  the  USCENTCOM  materials,  I  worked  with  Mr. 
Jacob  Grant  to  collect  both  the  server  logs  as  well  as  information  from  a  particular  folder. 

4.  When  collecting  and  handling  evidence,  I  follow  several  general  procedures.  After  collection, 
I  review  the  evidence  property  custody  document  for  the  appropriate  information.  I  fill  out  the 
date/time/place  of  collection  and  describe  the  evidence  collected.  I  record,  for  example,  serial 
numbers,  markings  for  identification,  and  condition  description  matching  the  associated 
evidence.  Further,  I  ensure  that  the  necessary  information,  such  as  date  and  time,  are  properly 
and  accurately  recorded.  Lastly,  I  maintain  secure  custody  of  the  evidence  prior  to  transferring  it 
to  another  individual.  In  addition  to  following  these  procedures,  when  transferring  to  or 
receiving  evidence  from  another  person,  I  am  also  sure  to  properly  sign,  date,  and  note  the  reason 
for  the  transfer. 

5.  From  the  USCENTCOM  server,  Mr.  Grant  and  I  collected  information  from  the 
USCENTCOM  SharePoint  site  as  well  as  the  audit  logs  which  track  access  to  the  site.  I  was 
interested  in  this  information  so  that  investigators  could  compare  compromised  information 
regarding  the  Farah  investigation  to  information  on  the  USCENTCOM  server,  and  so  that 
investigators  could  identify  computers  which  were  used  to  retrieve  potentially  compromised 
material.  Before  Mr.  Grant  or  I  could  accessed,  imaged,  searched  for,  or  extracted  any 
information,  we  needed  special  authorization  from  MG  Jones,  Chief  of  Staff,  USCENTCOM. 
CCIU  forwarded  a  formal  written  request  through  the  Office  of  the  Staff  Judge  Advocate  to  the 
USCENTOM  J-6  requesting  release  of  this  evidence  on  9  August  2010.  This  request  was 
approved  on  19  August  2010.  The  same  day,  I  worked  with  Mr.  Grant  to  prepare  for  evidence 
collection  by  getting  in  order  the  equipment  we  would  need  for  collection.  Mr.  Grant  ensured 
that  the  laptop,  hard  drive,  and  cables  we  would  need  were  clean  of  any  data  and  ready  for  use. 

6.  The  following  day,  Mr.  Grant  collected  from  the  J-6  shop  a  DVD  containing  the  audit  logs  for 
the  USCENTCOM  SharePoint  server.  The  logs  show,  among  other  things,  the  date/time 
USCENTCOM  documents  were  accessed  on  the  SharePoint  server,  from  December  2009  until 
August  2010.  On  20  August  2010,  he  signed  that  evidence  over  to  me.  I  took  possession  using 
the  evidence  handling  procedures  I  describe  herein  including,  but  not  limited  to,  documenting  it 
on  an  Evidence  Property  Custody  Document  DA  Form  4137  (labeled  as  document  number  (DN) 
122-10  (BATES  number:  00411111).  Later  that  same  day,  I  properly  signed  that  evidence  over 
to  the  CCIU  Evidence  Custodian,  Ms.  Tamara  Mairena.  At  no  point  did  I  alter  the  DVD  or  its 
contents.  I  have  no  reason  to  believe  it  suffered  damage  or  contamination  in  any  way. 

7.  In  addition  to  collecting  the  logs,  I  worked  further  with  Mr.  Grant  to  access  and  collect 
information  from  the  USCENTCOM  SharePoint  collaboration  space  on  the  USCENTCOM 
server.  SharePoint  is  a  tool  produced  by  the  Microsoft  Corporation  to  create  an  internet  interface 
which  allows  users  with  access  to  a  SIPRNET  website  to  collaborate,  for  example,  by  sharing 
files.  The  USCENTCOM  SharePoint  itself  is  only  accessible  via  SIPRNET,  so  a  user  must 
access  it  via  secure  systems  and  a  proper  security  clearance.  The  server  supporting  it,  from 
which  Mr.  Grant  pulled  the  logs,  is  on  virtual  machines  within  a  cluster,  in  a  data  center,  on  a 
storage  area  network  (SAN).  Only  authorized  USCENTCOM  Headquarters  J-6  personnel  are 
granted  access  to  the  facility.  The  data  center  is  protected  by  badge  access,  cipher  locks,  video 
surveillance,  and  an  access  roster.  This  information  was  located  on  SIPRNET  in  the  JAG  folder 


on  the  USCENTCOM  SharePoint  page.  Mr.  Grant  assisted  me  in  locating  it  on  the  system.  We 
sat  at  his  workstation  to  pull  the  folder  contents.  We  knew  where  to  focus  our  search  based  on 
Mr.  Grant’s  SIPRNET  webpage  address  identifications  of  the  information  at  issue  and  because 
investigators  in  the  case  had  cause  to  suspect  the  charged  information  was  housed  in  the 
USCENTCOM  JAG  folder.  In  consultation  with  investigating  forensic  examiner  SA  Dave 
Shaver,  we  determined  the  most  forensically  sound  way  to  collect  the  Farah  information  itself,  as 
well  as  information  about  how  it  was  accessible  on  SharePoint,  was  to  navigate  through  the 
series  of  digital  folders  to  download  the  Farah  file  itself.  As  we  navigated  through  the  folder 
structure  on  the  SharePoint  server,  we  took  screenshots  of  the  contents  of  each  folder,  before  we 
entered  the  subsequent  folder.  A  screenshot  is  the  process  of  obtaining  a  digital  copy  of  the 
computer  screen,  similar  to  a  photograph. 

8.  During  the  morning  of  20  August  20 1 0, 1  connected,  via  a  USB  cable,  a  CCIU-issued 
Voyager  drive  dock  to  the  laptop  which  accessed  the  SharePoint  server  via  a  USB  cable.  I 
connected  a  400GB  Seagate  Barracuda,  SATA  hard  drive  (Serial  Number:  3NFODYJ1)  to  the 
laptop  using  the  drive  dock  and  assigned  that  drive  the  letter  "X".  Using  Microsoft's  Internet 
Explorer,  I  navigated  to  the  SIPRNET  webpage  “www.nonrel.cie.centcom.smil.mil”.  From  this 
screen,  I  clicked  on  the  “Organization”  link.  I  created  a  screen  capture  of  this  page  and  saved  it 
in  a  folder  in  the  Desktop  Directory  called  “screen  shots”.  From  this  screen,  I  clicked  on  the 
“Special  Staff’  link.  I  created  a  screen  capture  of  this  page  and  saved  it  in  the  “screen  shots” 
folder.  From  this  screen,  I  clicked  on  the  “Judge  Advocate”  link.  I  created  a  screen  capture  of 
this  page  and  saved  it  in  the  “screen  shots”  folder.  From  this  screen,  I  clicked  on  the  “JA 
Document  Page”  link.  I  created  a  screen  capture  of  this  page  and  saved  it  in  the  “screen  shots” 
folder.  From  this  screen,  I  clicked  on  the  folder  icon  “Investigations”.  I  created  a  screen  capture 
of  this  page  and  saved  it  in  the  “screen  shots”  folder.  From  this  screen,  I  clicked  on  the  folder 
icon  “Farah”.  I  created  a  screen  capture  of  this  page  and  saved  it  in  the  “screen  shots”  folder. 

The  folder  “Farah”  contained  the  following  sub-folders,  “Admin  Material”,  “Briefs”,  “Email”, 
“Investigations  Tabs”,  “Reports  and  EXSUMs”,  “Timelines”,  and  “Videos”.  I  navigated  to  each 
of  the  sub-folders  and  created  a  screen  capture  for  each  page  then  saved  it  in  the  “screen  shots” 
folder.  The  screen  shots  showed  how  the  SharePoint  portal  was  arranged  and  the  path  to  the 
"Farah"  folder. 

9.  Prosecution  Exhibit  (PE)  65  for  Identification  is  a  computer  printout  that  shows  the  file 
names  and  their  associated  paths  that  we  navigated.  It  is  a  printout  of  a  directory  listing  showing 
the  filenames  of  each  file  and  folder  contained  within  the  Farah  folder  on  the  USCENTCOM 
server  with  individual  line  numbers  printed  to  the  left  of  the  listing.  It  lists  the  first  level  of 
subfolders  within  the  Farah  folder  alphabetically,  and  then  lists  the  filenames  of  the  first 
subfolder.  The  document  continues  this  process  of  listing  subfolder  names  recursively,  until  all 
files  and  their  filenames  in  all  subfolders  have  been  listed. 

10.  Later  in  the  day  on  20  August  2010, 1  recreated  the  folder  “Farah”  on  the  Desktop  Directory 
of  the  laptop  and  included  all  of  the  subfolders  that  resided  in  the  “Farah”  folder.  I  then 
downloaded  each  individual  file  contained  in  the  folder  “Farah”  into  the  same  location  inside  the 
recreated  “Farah”  folder  on  the  Desktop  Directory  of  the  laptop  computer.  After  verifying  that  all 
of  the  files  downloaded  correctly,  I  installed  EnCase  version  6.14.3  on  the  laptop  computer. 


Using  EnCase,  I  created  a  logical  evidence  file  of  the  folder  “Farah”  and  all  of  its  sub-folders. 

The  logical  evidence  file  was  named  “JA-Investigations-Farah  Folder.LOl”.  An  MD5  hash  of 
46el  1229a5d678cabf9c3fa6839f662c  was  obtained  and  recorded.  The  logical  evidence  file  of 
the  folder  “Farah”  was  placed  in  a  folder  named  “EnCase”  on  the  root  of  the  "X"  drive  connected 
to  the  laptop.  I  also  copied  the  recreated  "Farah"  folder  and  all  of  the  sub-folders  and  placed 
them  onto  the  root  of  the  "X"  drive.  Subsequently,  the  folder  "Screen  Shots"  was  then  copied 
and  placed  on  the  root  of  the  "X"  drive  as  well. 

1 1 .  When  beginning  the  process  of  navigating  through  the  JAG  folder  to  obtain  the  Farah 
contents,  I  was  not  required  to  enter  any  login  or  password  window  on  the  main  page.  I  was 
able  to  navigate  to  any  page  and  access  all  folders  and  documents  in  the  document  library, 
including  the  SJA  Investigations  folder  and  the  Farah  folder  without  ever  entering  any 
authentication  or  credential  information.  In  the  Farah  folder,  all  of  the  “video”  files  were 
password  protected,  including  the  a  file  named  "BE22  PAX. zip"  containing  a  video  named 
"BE22  PAX.wmv".  We  therefore  also  requested  and  received  the  password  to  unlock  the  file 
named  “BE22  PAX.zip”  and  the  other  videos  from  USCENTCOM.  PE  66  for  Identification  is 
a  CD  containing  the  file  named  “BE22  PAX.zip”  and  the  video  file  named  “BE22  PAX.wmv”. 
PE  67  for  Identification  contains  the  password  for  the  file  named  “BE22  PAX.zip”  which  I 
received  from  USCENTCOM. 

12.  Later  on  20  August  2010, 1  connected  a  second  400GB  Seagate  Barracuda,  SATA  hard  drive 
(Serial  Number:  3NFOHTG4)  to  the  laptop  using  the  drive  dock  and  assigned  that  drive  the  letter 
"Y".  I  then  recreated  the  process  a  second  time  placing  the  folder  EnCase,  containing  the 
EnCase  logical  evidence  file  for  the  folder  "Farah",  the  recreated  folder  "Farah",  and  the  folder 
"Screen  Shots"  onto  the  root  of  the  "Y"  drive.  The  second  evidence  drive  was  created  as  a 
backup  in  case  the  first  evidence  drive  suffered  a  failure. 

13.  I  later  collected  as  evidence  two  SATA  hard  drives.  These  SATA  hard  drives  each 
contained  images  of  three  folders  (EnCase,  Farah,  and  Screen  Shots),  copied  from  the 
USCENTCOM  SharePoint  server  IP  address  131.240.47.23,  which  was  documented  on 
Evidence/Property  Custody  Document  (EPCD),  Document  Number  (DN)  123-10  (identified  at 
BATES  number:  0041 1113).  In  processing  this  material,  I  handled  and  transferred  the  evidence 
as  I  have  been  trained.  At  no  point  did  I  alter  any  evidence  I  collected.  I  have  no  reason  to 
believe  this  evidence  was  contaminated  or  damaged  in  any  way.  On  20  August  2010, 1  properly 
signed  this  evidence  over  to  Ms.  Tamara  Mairena,  the  CCIU  Evidence  Custodian.  I  did  not 
touch  this  evidence  again. 

14.  Finally,  I  took  possession  of  firewall  logs  from  the  Department  of  State  from  SA  Ron  Rock. 

I  took  possession  of  this  evidence  on  15  October  2010.  He  provided  this  information  on  a  silver 
CD  marked  with  the  words  “Wikileaks  DoS  Firewall  Logs  13  October  2010”.  The  CD  had  a  red 
U.S.  Government  SECRET  sticker  on  it.  I  recognize  it  as  an  official  sticker  because  I  have 
handled  classified  information  before.  I  handled  this  evidence  consistent  with  procedures  as  I 
have  been  trained  and  previously  described.  Upon  taking  custody,  I  checked  to  ensure  the 
evidence  I  was  receiving  matched  the  description  on  the  DA  Form  4137,  labeled  as  DN  151-10, 
Item  1  (identified  at  BATES  number:  00411151).  I  checked  the  date,  time,  and  other  collection 
information.  And  finally,  I  signed  in  the  “Received  By”  column.  While  in  possession  of  this 


evidence,  I  maintained  positive  control.  I  did  not  alter  the  information  on  the  CD.  I  have  no 
reason  to  believe  this  evidence  was  damaged  or  contaminated  in  any  way.  On  18  October  2010, 
I  properly  signed  this  evidence  over  to  Ms.  Mairena,  the  CCIU  evidence  custodian.  I  did  not 
touch  this  evidence  again.  PE  68  for  Identification  is  DN  151-10,  Item  1. 
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It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Mr. 

James  Fung  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this  court- 
martial,  he  would  testify  substantially  as  follows: 

1 .  I  currently  work  as  the  supervisor  of  the  Cyber  Security  Operations  Group  at  Brookhaven 
National  Laboratory  (BNL)  in  Upton,  New  York.  This  Group  is  responsible  for  the  security 
posture  of  BNL  and  is  constituted  by  one  physical  site  where  multiple  BNL  departments’  IT 
directorates  centralize  their  security  operations.  As  supervisor,  I  oversee  the  daily  operations  of 
this  Group.  These  operations  include  intrusion  detection,  audit  log  collections,  and  Cyber 
Security  Incident  Response  Team  (CSIRT)  activities.  Audit  log  collection  entails  collecting 
electronic  audit  logs,  which  track  the  time/date  and  user  activities  of  individuals  using  BNL 
computers.  These  logs  are  used  to  analyze  the  BNL  system  for  security  vulnerabilities  and  also 
to  secure  data  regarding  suspected  security  violations.  The  CSIRT  team  is  responsible  for 
detecting,  responding  to,  and  investigating  cyber  security  violations  as  well  as  pursuing 
allegations  of  fraud,  waste,  and  abuse.  In  its  work,  we  collaborate  with  the  BNL  human 
resources  department,  on-site  security,  and  law  enforcement.  I  have  held  my  supervisory 
position  for  six  years.  I  have  a  Bachelors  degree  in  IT  Management  and  am  certified  as  a 
Forensic  Analyst  by  the  computer  security  professional  association  Global  Information 
Assurance  Certification  (GIAC). 

2.  I  first  became  involved  in  this  case  after  CSIRT  members,  whom  I  supervise,  alerted  me  that 
the  desktop  work  station  computer  of  a  BNL  employee  identified  as  Mr.  Jason  Katz  had  been 
used  contrary  to  BNL  policy.  To  investigate  this  suspected  misuse,  two  members  of  the  CISRT 
team  collected  Mr.  Katz’s  BNL  desktop  computer.  Based  on  BNL’s  report  to  federal  law 
enforcement  officials,  investigators  in  the  present  case  against  PFC  Manning  became  interested 
in  the  contents  of  the  BNL  desktop  computer  assigned  to  Mr.  Katz,  which  my  team  collected. 

No  rationale  for  this  interest  was  communicated  to  me. 

3.  Mr.  Katz  worked  as  a  Systems  Administrator  for  the  Physics  Department  at  BNL.  He  was 
hired  as  a  Junior  Systems  Administrator,  and  was  employed  from  February  of  2009  until  March 
of  2010.  His  primary  responsibilities  were  to  help  maintain  the  computers  that  processed  data 
for  our  Relativistic  Heavy  Ion  Collider  (RHIC)  as  well  as  the  ATLAS  Computing  facility 
(RACF).  As  BNL  has  the  capacity  to  process  large  amounts  of  data  through  our  super  computer 
systems,  Mr.  Katz  was  further  responsible  for  helping  to  manage  the  queue  of  jobs  submitted 
from  institutions  throughout  the  world,  who  seek  BNL’s  assistance  in  processing  large  amounts 
of  data.  For  example,  research  universities  send  large  amounts  of  research  data  to  us,  as  our 
facility  can  process  data  with  the  power  of  five  hundred  computers. 
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4.  Our  CSIRT  team  became  suspicious  of  Mr.  Katz  when  his  desktop  computer  was  removed 
from  our  BNL  network.  This  happens  automatically  when  our  system  detects  that  the  BNL 
computer  attached  to  this  account  is  used  in  a  way  that  violates  BNL  user  agreements.  When  a 
machine  is  blocked  or  disconnected  from  our  BNL  network,  it  is  no  longer  usable  -  including  for 
work  purposes.  Mr.  Katz  approached  our  office  to  have  his  desktop  reconnected  to  the 
network — alleging  that  he  had  been  kicked  off  after  accidentally  clicking  a  prohibited  link  in  an 
email  on  his  personal  account.  Following  this  explanation,  we  reconnected  his  computer  to  the 
network.  However,  upon  considering  the  matter  further,  I  decided  this  was  unlikely  given  the 
activity  detected.  Accordingly,  I  notified  our  Laboratory  Protective  Division  (LPD),  legal 
department,  and  human  resources  office  of  the  suspicious  activity  and  initiated  an  investigation. 
Subsequently,  an  armed  LPD  officer  was  dispatched  to  Mr.  Katz’s  office.  I  further  dispatched 
two  members  of  my  CSIRT  team  to  respond.  Mr.  Withers  was  part  of  the  CSIRT  team.  He  was 
the  team  member  to  first  identify  the  suspicious  activity  associated  with  Mr.  Katz’s  BNL  desktop 
computer.  Further,  given  Mr.  Withers  prior  BNL  work  in  the  same  section  as  Mr.  Katz,  I 
considered  Mr.  Withers  knowledgeable  about  Mr.  Katz’s  official  duty  position.  After  collecting 
Mr.  Katz’s  computer,  Mr.  Withers  delivered  the  machine  to  our  secure  forensic  laboratory  to  be 
forensically  imaged  by  Mr.  McManus. 

6.  Access  to  our  forensic  laboratory  is  secured  by  access  key  card.  Only  members  of  our  Cyber 
Security  Group  have  this  access.  Further,  the  lab  contains  a  safe  used  to  house  evidence 
securely.  This  safe  can  only  be  accessed  when  a  key  and  pass  code  are  used  in  conjunction. 

Only  two  people  hold  this  key  -  myself  and  a  colleague,  who  is  also  a  member  of  the  Cyber 
Security  Group.  Only  members  of  the  Cyber  Security  Group  have  pass  codes  to  the  safe. 

7.  Later  my  team  searched  the  forensic  image  created  by  Mr.  McManus.  Our  search  revealed 
the  presence  of  password  cracking  programs,  which  are  commonly  used  to  break  file  passwords. 
To  the  best  of  my  knowledge,  there  is  no  reason  Mr.  Katz  would  need  these  programs  for  work 
purposes.  I  later  confirmed  this  understanding  with  Mr.  Katz’s  then-supervisor  Mr.  Chan.  I  do 
not  recall  seeing  anything  related  to  WikiLeaks  on  Mr.  Katz’s  computer.  This  would  have  been 
before  I  had  heard  of  WikiLeaks,  so  I  do  not  know  if  I  would  remember  it  if  I  did. 

8.  At  no  point  during  the  detection  of  suspicious  activity  or  the  ensuing  investigation  and 
examination  did  I  alter  Mr.  Katz’s  BNL  computer,  its  hard  drive,  its  other  components,  or  its 
contents  in  any  way.  Furthermore,  I  never  altered  any  forensic  image  made  from  this  computer  in 
any  way.  At  no  point  did  I  observe  anyone  alter  the  computer,  its  hard  drive,  its  other 
components,  or  it  contents  in  any  way.  Likewise,  I  have  no  reason  to  believe  the  evidence  was 
damaged  or  contaminated  in  any  way. 


ASHDEN  FEIN 
MAJ,  JA 
Trial  Counsel 


THOMAS  F.  HURLEY 
MAJ,  JA 
Defense  Counsel 
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Mr.  Alex  Withers 
DATED:  7*  June  2013 


It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Mr.  Alex 
Withers  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this  court-martial, 
he  would  testify  substantially  as  follows: 

1.  I  currently  work  as  an  Investigator  in  the  IT  Division  of  Brookhaven  National  Laboratory 
(BNL)  in  Upton,  NY.  Specifically,  I  am  part  of  a  Cyber  Security  Incident  Response  Team 
(CSIRT).  I  have  held  this  position  for  five  years  (since  September  of  2008).  Prior  to  that,  I 
worked  as  an  Advanced  Technology  Engineer,  responsible  for  helping  to  maintain  the  computers 
that  process  data  for  our  Relativistic  Heavy  Ion  Collider  (RHIC)  as  well  as  the  ATLAS 
Computing  facility  (RACF).  BNL  has  the  capacity  to  process  large  amounts  of  data  through  our 
super  computer  systems.  Accordingly,  in  my  previous  position,  I  was  further  responsible  for 
helping  to  manage  the  queue  of  jobs  submitted  from  institutions  throughout  the  world,  who  seek 
BNL’s  assistance  in  processing  large  amounts  of  data.  I  held  that  position  for  four  years. 

2.  I  hold  a  Bachelors  and  a  Masters  degree  in  Computer  Science.  I  also  hold  three  certifications 
from  the  computer  security  professional  association  Global  Information  Assurance  Certification 
(GIAC)  -  one  in  Forensic  Analysis,  one  in  Incident  Handling,  and  one  in  Intrusion  Analysis. 

3. 1  first  became  involved  in  this  case  after  I  discovered  suspicious  activity  on  the  desktop  work 
station  computer  assigned  to  a  BNL  employee  identified  as  Mr.  Jason  Katz.  Based  on  BNL’s 
report  to  federal  law  enforcement  officials,  investigators  in  the  present  case  against  PFC 
Manning  became  interested  in  the  contents  of  the  BNL  desktop  computer  assigned  to  Mr.  Katz, 
which  I  collected  and  forensically  examined. 

4.  In  my  CSIRT  position,  I  monitor  information  system  security  for  BNL.  In  early  March  of 

2009. 1  discovered  the  BNL  desktop  machine  assigned  to  Jason  Katz  had  a  Firefox  extension. 

An  extension  is  a  program  that  runs  within  the  Firefox  internet  browser  and  that  enhances  the 
user’s  abilities.  For  example,  an  extension  could  allow  a  user  to  project  his/her  Internet  Protocol 
(IP)  to  a  different  location,  and  route  through  a  different  IP  address,  so  that  his/her  actions  on  the 
web  would  appear  to  have  originated  in  that  location  instead  of  the  user’s  actual  location.  In  this 
instance,  the  extension  on  Mr.  Katz’s  machine  implied  that  Mr.  Katz  had  bypassed  BNL  proxy 
servers  designed  to  monitor  BNL  computers’  internet  traffic.  I  further  investigated  this  activity 
by  reviewing  logs  created  by  BNL  reporting  software.  This  review  revealed  that  Mr.  Katz’s 
BNL  desktop  machine  had  a  large  amount  of  Secure  Shell  (SSH)  traffic.  SSH  is  a  computer 
protocol,  or  computer  communication  language,  that  facilitates  secure  or  encrypted 
communications.  This  information,  when  taken  in  conjunction  with  my  review  of  BNL  firewall 
logs,  suggested  that  Mr.  Katz  was  transferring  files  between  his  BNL  machine  and  another 
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computer  outside  his  home  using  an  SSH,  or  encrypted,  connection.  I  know  the  network  to  which 
he  connected  was  not  his  home  computer,  as  the  IP  address  to  which  this  connection  was  made 
did  not  match  his  home  IP  address.  While  I  could  not  tell  which  types  of  files  were  transferred, 
having  previously  occupied  a  duty  position  responsible  for  many  of  the  same  activities  as  Mr. 

Katz  was  then  responsible,  I  know  it  is  possible  for  a  user  in  Mr.  Katz’s  position  to  have  hidden 
files  in  the  BNL  system  and  to  have  used  the  BNL  computing  power  to  run  personal  tasks.  For 
example,  the  BNL  super  computer  power  could  significantly  reduce  the  amount  of  time  it  would 
take  to  decrypt  an  encrypted  file  without  a  password.  I  also  know  that  the  BNL  desktop  CD-RW 
and  USB  drives  would  have  been  enabled  on  his  work  computer.  These  could  have  been  used  to 
transfer  data  onto  removable  media. 

5.  This,  and  other  suspicious  activity,  resulted  in  further  investigation.  Ultimately,  our  system 
detected  that  Mr.  Katz’s  computer  had  accessed  a  website  known  to  contain  pirated  files  We 
were  able  to  find  this  because  Mr.  Katz  upgraded  to  a  web  browser  that  had  a  bug  that  allowed 
me  to  see  what  websites  Mr.  Katz  was  visiting.  Pirated  files  are  illegally  obtained  files.  I  cannot 
recall  all  of  the  websites  visited  by  Mr.  Katz.  The  only  one  that  I  remember  specifically  is  Pirate 
Bay,  a  website  that  allows  for  the  improper  downloading  of  movies  and  other  entertainment 
media.  As  this  was  against  user  agreement  policy,  the  BNL  system  automatically  blocked  Mr. 
Katz’s  desktop  computer  -  essentially  removing  it  from  the  BNL  system.  The  ensuing 
investigation  included  the  collection  of  Mr.  Katz’s  BNL  desktop  computer  for  forensic  imaging 
and  further  investigation.  I  know  this  because  I  was  part  of  the  team  to  report  the  initial 
suspicious  activity  to  my  supervisor  Mr.  James  Fung.  I  then  met  with  and  accompanied 
responding  law  enforcement  personnel  to  Mr.  Katz’s  workstation  for  the  collection  of  his 
computer  Mr.  Katz  was  present  at  the  time  we  obtained  the  BNL  computer.  It  was  a  Dell 
Optiplex  960  computer  with  a  Linux  operating  system,  bar  code  number  138694.  At  the  time  of 
collection  we  checked  to  make  sure  the  computer  did  not  contain  any  removable  media  devices 
such  as  a  thumb  drive.  Then,  my  CSIRT  colleagues  and  I  accompanied  that  computer  to  the 
forensic  laboratory  for  forensic  imaging  by  Mr.  James  McManus.  Mr.  McManus  is  an  IT 
Architect  at  BNL. 

6.  Following  this  imaging  process,  our  Cyber  Security  Team  further  examined  this  forensic 
image  I  know  our  team  examined  it  because  I  participated  in  that  examination.  Our 
investigation  revealed  that  Mr.  Katz  had  password  cracking  software  on  his  BNL  desktop 
computer.  Additionally,  the  computer  housed  at  least  part  of  an  encrypted  .zip  file,  which  it 
appeared,  Mr.  Katz  had  attempted  to  break  into  or  decrypt  using  the  brute  force  attack  method. 
The  brute  force  attack  method  means  using  a  computer-generated  or  pre-generated  list  ot 
possible  passwords  to  crack  an  unknown  password  by  running  different  passwords  against  t  e 
file  one  at  a  time  at  a  very  fast  rate.  We  did  not  have  the  password  to  this  file  and  so  could  not 
open  it  Our  search  also  revealed  movies  that  had  been  downloaded  and  saved  to  Mr.  Katz  s 
work  computer.  I  do  not  recall  whether  WikiLeaks  was  mentioned  in  any  way  on  Mr.  Katz  s 
computer.  This  was  prior  to  my  having  heard  of  WikiLeaks,  so  I  may  not  have  noted  its 
significance  at  the  time. 

7.  At  no  time,  prior  to,  during,  or  after  the  collection  of  Mr.  Katz’s  BNL  computer  did  1 1  alter  its 
hard  drive,  its  other  components,  or  its  contents  in  any  way.  Furthermore,  I  never  altered  any 
forensic  image  made  from  this  computer  in  any  way.  At  no  point  did  I  observe  anyone  alter  the 
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computer,  its  hard  drive,  its  other  components,  or  its  contents  in  any  way.  Likewise,  I  have  no 
reason  to  believe  the  evidence  was  damaged  or  contaminated  in  any  way. 


ASHDEN  FEIN 
MAJ,  JA 
Trial  Counsel 


THOMAS  F.  HURLEY 
MAJ,  JA 
Defense  Counsel 
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Manning,  Bradley  E. 

PFC,  U.S.  Army, 
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STIPULATION  OF 
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Mr.  James  McManus 


DATED:  ±  June  2013 


It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Mr. 

James  McManus  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this 
court-martial,  he  would  testify  substantially  as  follows: 

1 .  I  currently  work  as  an  IT  Architect  at  Brookhaven  National  Laboratory  (BNL)  in  Upton,  New 
York.  In  this  capacity,  I  perform  forensic  imaging  of  the  computers  our  Cyber  Security  Team 
confiscates  and  perform  forensic  analysis  of  those  computers  with  Windows  operating  systems. 

I  also  control  anti-virus  for  the  approximately  five-thousand  computers  connected  to  the  BNL 
system,  and  run  penetration  testing  on  BNL  servers  to  ensure  they  are  secure.  I  work  with  Mr. 
Alex  Withers.  Mr.  James  Fung  is  my  supervisor.  I  have  held  this  position  for  two  years.  For  the 
five  preceding  years,  my  job  title  was  Senior  Engineer;  however,  my  responsibilities  have 
remained  the  same.  I  have  worked  at  BNL  for  thirty  years,  and  have  worked  with  the  Cyber 
Security  Group  for  ten  of  those  years.  For  the  past  five  years,  I  have  attended  at  least  one 
System  Administration  Network  Security  (SANS)  course  on  network  security  and  forensic 
examination  per  year.  The  courses  also  cover  how  to  handle  digital  evidence. 

2.  I  first  became  involved  in  this  case  after  forensically  imaging  the  hard  drive  of  a  desktop 
work  station  computer  of  a  BNL  employee  identified  as  Mr.  Jason  Katz,  which  had  been 
collected  upon  suspicion  of  having  been  used  contrary  to  BNL  policy.  Based  on  BNL’s  report  to 
federal  law  enforcement  officials,  investigators  in  the  present  case  against  PFC  Manning  became 
interested  in  the  contents  of  the  BNL  desktop  computer  assigned  to  Mr.  Katz,  which  I  processed. 

3.  On  24  February  2010, 1  received  a  Dell  Optiplex  960  desktop  computer  assigned  to  Mr.  Katz 
from  Mr.  Alex  Withers.  After  receiving  the  computer,  I  secured  it  in  our  evidence  safe  in  our 
secure  forensic  evidence  laboratory.  The  lab  is  accessible  only  to  the  six  BNL  Cyber  Security 
team  members,  who  must  use  secure  key  card  to  gain  entry.  A  key  and  pass  code  are  required  to 
open  the  safe.  It  is  only  accessibly  if  either  Mr.  Fung  or  his  associate,  who  also  works  in  our 
Cyber  Security  Group,  are  present,  as  they  are  the  only  individuals  with  the  required  key.  Only 
Cyber  Security  Group  members  have  the  required  pass  code. 

4.  On  25  February  2010,  while  in  our  secure  forensic  evidence  laboratory,  I  removed  the  hard 
drive  from  the  Dell  Optiplex  960  BNL  desktop  computer  collected  from  Jason  Katz.  I  obtained  a 
forensic  image  of  this  hard  drive  using  the  program  FTK  imager.  I  followed  standard  imaging 
procedures  on  which  I  have  been  trained  and  which  I  have  used  before. 

5.  A  forensic  image  of  an  item  of  digital  media  is  an  exact  copy  of  the  data  on  the  digital  media. 
Digital  forensic  examiners  image  devices  so  that  the  originally-collected  device  can  be 
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forensically  examined  without  risking  contamination  of  the  original  data.  This  is  standard 
practice  by  digital  forensic  examiners.  The  software  forensic  examiners  use  to  image  the  digital 
evidence  has  built  in  procedures  to  verify  that  the  item  has  been  successfully  duplicated.  For 
example,  the  program  will  note  the  MD5  hash  or  Secure  Hash  Algorithm  1  (SHA1)  hash  value  of 
an  item  of  digital  evidence  before  imaging  (acquisition  hash  value)  and  after  imaging  the  item 
(verification  hash  value).  If  the  two  hash  values  match,  the  item  has  been  successfully 
duplicated  bit-for-bit.  The  hash  value  is  determined  by  mathematical  algorithm  and  is  displayed 
as  a  number/letter  identifier  unique  to  every  item  of  electronically  stored  information.  It  is  the 
equivalent  of  a  digital  fingerprint.  When  the  hash  value  is  generated,  the  entire  hard  drive  will 
have  a  hash  value,  as  well  as  each  individual  file  on  the  hard  drive.  If  there  is  any  alteration  to 
the  hard  drive  or  to  any  file  on  the  hard  drive,  the  acquisition  and  verification  hash  values  will 
not  match.  The  alteration  can  be  as  small  as  adding  a  single  space  into  text  document  or  saving 
the  data  to  a  different  size  device.  In  this  case,  I  used  FTK  Imager  forensic  software  to  complete 
this  imaging  process.  FTK  Imager  is  similar  to  EnCase  and  is  widely  used  by  digital  forensic 
examiners.  I  also  used  a  write  blocker  when  imaging  this  drive  in  order  to  ensure  the  originally 
collected  evidence  was  not  altered  in  any  way.  As  I  stated  earlier,  I  have  received  training  on 
FTK  Imager  and  have  used  it  in  my  other  work.  I  encountered  no  errors  while  conducting  the 
imaging  of  the  evidence  at  issue  in  this  case 

6.  I  processed  a  BNL-owned  Dell  Optiplex  960  desktop  computer  hard  drive  with  Linux 
operating  system,  serial  number  9SZ3MBE3,  bar  code  138694.  I  made  a  forensic  image  of  this 
drive  for  our  lab’s  internal  examination.  In  doing  so,  I  identified  the  SHA1  hash  value  of  the 
hard  drive  collected  to  be  60a5cd8caf580f7clbba415f793550a7349aflbc.  At  no  point  during  my 
handling  of  the  evidence  in  question  did  I  alter  the  computer,  its  hard  drive,  its  other 
components,  or  its  contents  in  any  way.  At  no  point  did  I  observe  anyone  alter  the  computer,  its 
hard  drive,  its  other  components,  or  its  contents  in  any  way.  I  have  no  reason  to  believe  the 
evidence  was  damaged  or  contaminated  in  any  way. 


ASHDEN  FEIN 
MAJ,  JA 
Trial  Counsel 
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It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  SA  Troy 
M.  Bettencourt  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this  court- 
martial,  he  would  testify  substantially  as  follows: 

1 .  I  am  a  Special  Agent  (SA)  for  the  Special  Inspector  General  for  the  Troubled  Asset  Relief 
Program  (SIGTARP),  U.S.  Department  of  the  Treasury.  Specifically,  I  work  for  the  Computer 
Forensics  Unit  (CFU),  SIGTARP.  My  current  job  title  is  Senior  Special  Agent  (SSA)  and  I  am 
located  in  Washington,  DC.  As  an  SSA  for  the  CFU,  my  job  primarily  entails  providing  digital 
forensic  and  e-Discovery  support  to  SIGT ARP's  nationwide  criminal  investigations.  I  also 
conduct  criminal  investigations  of  crimes  within  SIGTARP's  investigative  purview.  I  have 
served  as  a  Special  Agent  for  SIGTARP  for  approximately  1  and  a  half  years. 

2.  From  November  2010  to  December  201 1, 1  was  a  Special  Agent  for  the  U.S.  Army  Criminal 
Investigation  Command  (CID).  Specifically,  I  worked  for  the  Computer  Crimes  Investigation 
Unit  (CCIU).  I  was  assigned  to  the  Washington  Metro  Resident  Agency,  CCIU,  and  investigated 
crimes  within  CCIU's  investigative  purview,  with  a  focus  on  the  PFC  Manning  investigation. 

3.  From  June  2007  to  November  2010, 1  was  an  administrator  with  the  Punta  Gorda  Police 
Department  where  I  was  responsible  for  accreditation,  staff  inspections/audits, 
administrative/management  studies,  personnel  supervision,  media  relations,  and  forensic 
imaging/preliminary  analysis  of  digital  evidence  in  cases  ranging  from  prostitution  to  homicide. 

4.  From  May  2005  to  June  2007, 1  owned  and  operated  my  own  business.  From  October  2001 
to  May  2005, 1  was  a  Special  Agent  with  CCIU.  I  supervised  a  team  of  special  agents 
responsible  for  investigating  crimes  within  CCIU's  investigative  purview.  I  was  also  assigned  as 
the  CID  liaison  to  the  U.S.  Army  Computer  Emergency  Response  Team  (ACERT)  and  the  Joint 
Task  Force  -  Global  Network  Operations  (JTF-GNO). 

5.  From  February  1999  -  September  2001, 1  was  a  Special  Agent  with  the  Hawaii  Field  Office, 
CID,  where  I  served  as  an  assistant  team  chief  of  a  drug  suppression  team,  as  well  as  an 
investigator  on  a  general  crimes  investigative  team  and  a  child  abuse/sexual  crimes  investigative 
team. 

6.  I  earned  a  Masters  of  Public  Administration  (Criminal  Justice  Administration)  from  Troy 
University  located  in  Alabama.  I  have  had  extensive  training  in  evidence  collection  and 
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handling  to  include,  but  not  limited  to,  the  17-week  Apprentice  Special  Agents  Course.  In  terms 
of  computers  and  forensics  training,  I  have  completed  multiple  courses  over  the  years.  I 
completed  three  courses  at  the  Defense  Cyber  Investigative  Training  Academy  (DCITA)  in 
Linthicum,  Maryland,  between  the  years  2001  and  2011,  which  covered  digital  media  collection 
issues.  From  2002-2003, 1  attended  two  courses  at  Guidance  Software  in  Reston,  Virginia  (the 
manufacturer  of  EnCase).  During  this  time  I  also  completed  four  courses  at  Learning  Tree 
International,  which  focused  on  information  network  security.  In  2003, 1  completed  the  Federal 
Law  Enforcement  Training  Center  Seized  Evidence  Recovery  Specialist  training/certification  in 
Glynco,  Georgia.  In  2009  and  2013, 1  attended  two  courses  conducted  by  AccessData 
(manufacturer  of  FTK).  In  2012, 1  completed  a  training/certification  course  on  use  of  the 
Cellebrite  Universal  Forensic  Extraction  Device.  These  courses  all  discussed  the  collection, 
handling,  and/or  forensic  analysis  of  digital  evidence. 

7.  I  earned  a  Department  of  Defense  Certified  Digital  Media  Collector  certificate  in  201 1  from 
the  Department  of  Defense  Cyber  Crime  Center  (DC3),  which  must  be  renewed  every  two  years. 
I  have  not  renewed  it  as  I  no  longer  work  for  a  Department  of  Defense  entity.  I  earned  the 
Federal  Law  Enforcement  Training  Center  Seized  Evidence  Recovery  Specialist  certification  in 
2003,  which  did  not  require  recertification.  I  earned  the  Cellebrite  Universal  Forensic  Extraction 
Device  (UFED)  Certification  in  2012,  which  does  not  require  recertification.  I  also  earned  the 
following  certifications  which  have  since  lapsed:  Learning  Tree  International  Network  Security 
Certified  Professional  (2003);  Guidance  Software  Encase  Certified  Examiner  (2004); 

AccessData  Certified  Examiner  (2009).  In  addition  to  my  training  and  certifications,  I  have 
investigated  or  supervised  more  than  1 00  investigations  involving  computer  crime  and 
investigated  or  supervised  between  200-300  criminal  investigations  unrelated  to  computer  crime. 

8.  On  30  August  201 1,  as  part  of  this  investigation,  I  downloaded  the  “Cablegate”  archive  from 
“www.wikileaks.org”  based  on  press  reports  indicating  that  all  Department  of  State  diplomatic 
cables  in  the  possession  of  WikiLeaks  had  been  posted  on  the  WikiLeaks  website.  The  archive  I 
collected  contained  25 1 ,287  purported  Department  of  State  diplomatic  cables  or  messages.  The 
purported  cables  ranged  in  date  from  1966  to  February  2010.  I  know  this  because  I  personally 
reviewed  the  “Cablegate”  archive  after  collection.  This  review  of  the  contents  of  the  archive 
revealed  that  no  information  had  been  redacted  from  the  files. 
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SA  Kirk  Ellis 
_i_June  2013 


It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  SA  Kirk 
Ellis  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this  court-martial,  he 
would  testify  substantially  as  follows: 

1 .  I  am  currently  a  Special  Agent  (SA)  criminal  investigator  and  certified  digital  forensic 
examiner  for  United  States  Army  Criminal  Investigation  Command  (CID).  I  am  assigned  to  the 
Rock  Island  Fraud  Resident  Agency  within  the  Major  Procurement  Fraud  Unit  and  am  currently 
deployed  to  Afghanistan.  In  this  position,  I  investigate  fraud  cases  as  a  case  agent.  When  in  the 
United  States,  I  also  provide  forensic  examination  services  to  our  local  field  offices.  I  have  held 
this  position  for  about  one  year.  Previously,  I  worked  at  CID’s  Computer  Crimes  Investigative 
Unit  (CCIU)  as  a  Computer  Crime  Program  Manager  at  Fort  Belvoir,  Virginia  and  Marine  Corps 
Base-Quantico,  Virginia.  I  have  also  worked  as  a  case  agent  with  CCIU.  I  have  been  a  civilian 
SA  with  CID  since  2008.  Before  that,  I  was  an  active  duty  CID  agent  for  three  years  at  Fort 
Bragg,  North  Carolina. 

2.  I  have  substantial  training  to  qualify  me  for  my  position.  I  have  attended  several  courses  run 
by  the  Defense  Cyber  Investigations  Training  Academy  (DCITA)  in  Linthicum,  Maryland.  I 
have  used  the  EnCase  forensic  tool  on  multiple  occasions  in  my  line  of  work.  I  am  also  a 
Department  of  Defense  Certified  Computer  Crime  Investigator.  I  have  a  bachelor’s  degree  in 
multi-disciplinary  studies  with  a  focus  on  business  and  criminal  justice  from  Liberty  University 
in  Lynchburg,  Virginia.  I  have  worked  more  than  a  dozen  fraud  cases,  approximately  a  dozen 
cases  for  CCIU,  and  about  fifty  to  sixty  cases  as  an  active  duty  CID  SA. 

3.  I  first  became  involved  in  this  case  when  I  was  a  case  agent  with  CCIU.  Throughout  the 
course  of  this  investigation,  I  worked  with  several  other  SAs  on  the  investigation  team,  including 
SA  Bowen,  SA  Wilbur,  SA  Edwards,  SA  Ames,  and  SA  Mander.  Primarily,  my  role  on  the 
investigative  team  was  to  assist  with  witness  questioning  and  with  electronic  data  collection. 
Specifically,  SA  Bowen  and  I  collected  the  Department  of  State  (DoS)  server  logs  on  15  June 
2010.  After  coordinating  with  Mr.  Albert  “John”  Janek  at  the  DoS  for  authorization,  we 
collected  the  logs  from  a  server  room  in  the  Harry  S.  Truman  Building  of  the  DoS  in 
Washington,  DC.  We  were  interested  in  collecting  the  DoS  server  logs  so  we  could  see  users 
that  had  accessed  the  servers,  and  what  files  were  specifically  accessed.  In  this  instance,  we 
collected,  or  copied,  the  logs  from  January  2009  to  June  2009,  and  from  30  April  2010  to  15 
June  2010.  We  were  not  able  to  collect  DoS  server  log  files  between  July  2009  and  30  April 
2010  based  on  an  electronic  recording  gap.  The  files  that  were  copied  were  placed  in  “.zip”  files 
and  named  “logs.zip”  and  “newlogs.zip.”  I  collected  these  log  files  in  accordance  with  the 
training  I  have  received.  The  DoS  gave  me  a  host  comDuter  that  could  access  the  logs  between 
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their  firewalls  and  collected  the  files  on  a  clean  USB  removable  drive  (“thumb  drive”).  It  was 
my  practice  to  wipe  and  format  a  thumb  drive  prior  to  collection.  Wiping  is  more  than  just 
deleting;  it  means  forensically  removing  all  information  from  a  drive.  It  ensures  the  device  is 
completely  empty  of  all  types  of  data.  Mr.  Janek  first  possessed  the  thumb  drive,  and  then 
signed  it  over  to  me  when  I  finished  collecting  the  files  from  the  host  computer. 

4.  After  Mr.  Janek  signed  the  thumb  drive  over  to  me,  I  brought  the  thumb  drive  back  to  CID.  I 
created  an  image  of  the  information  using  EnCase.  I  imaged  these  items  of  evidence  so  that  the 
data  on  the  device  can  be  forensically  examined  without  exposing  the  actual  collected  contents  to 
examination.  The  image  I  created  was  verified  by  hash  value  match.  I  encountered  no  errors 
while  conducting  the  imaging  of  the  evidence  at  issue  in  this  case.  Once  I  verified  that  the  hash 
values  matched,  I  saved  the  EnCase  image  on  a  DVD  so  that  it  could  be  examined  and  logged  it 
as  evidence.  I  know  it  was  clean  and  appropriate  for  evidence  collection  for  two  reasons.  First, 
it  was  the  same  type  of  DVD  our  office  uses  to  collect  evidence  in  our  standard  digital  evidence 
collection  practices.  Second,  it  was  new  and  factory-made.  I  know  the  data  I  put  onto  it  had 
been  unaltered  because  the  hash  value  of  the  logs  collected  onto  the  clean  thumb  drive  matched 
the  hash  value  of  the  logs  after  I  saved  them  to  the  DVD.  The  DVD  was  marked  “0028-10- 
cid221-101 17  Dept  of  State  Server  Logs,  199.56.188.73”.  I  used  a  DA  Form  4137, 
Evidence/Property  Custody  Document  (EPCD),  Document  Number  (DN)  78-10  to  describe  the 
evidence,  and  signed  it  over  to  the  evidence  custodian,  Mr.  Garon  Young.  I  do  not  have  any 
reason  to  believe  that  the  evidence  suffered  damage  or  contamination.  I  did  not  touch  this 
evidence  again.  Prosecution  Exhibit  (PE)^5  f°r  Identification  is  DN  78-10,  the  DVD 
containing  the  DoS  server  logs. 
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It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  SA  Mark  Mander 
were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this  court-martial,  he  would  testify 
substantially  as  follows: 

1 .  On  2  November  2010,  SA  John  Wilbur  and  I  visited  Ms.  Debra  Van  Alstyne  at  Ms.  Van  Alstyne’s 
residence  in  Potomac,  Maryland.  We  were  searching  for  a  box  that  had  been  sent  to  Ms.  Van  Alstyne’s 
residence  from  the  confinement  facility  in  Kuwait  where  PFC  Manning  had  been  held.  As  procedure,  the 
confinement  facility  collects  personal  items,  like  your  wallet  or  clothing,  and  places  them  in  a  container.  1 
thought  those  items  may  have  some  evidentiary  value,  but  we  were  unable  to  obtain  an  authorization  to 
search  the  container  prior  to  PFC  Manning’s  departure  from  Kuwait.  Once  PFC  Manning  left  the 
confinement  facility,  the  standard  procedure  is  for  the  facility  to  ship  the  personal  items  to  the  confinee’s 
home  of  record.  I  was  able  to  determine  that  the  box  had  been  signed  for  by  PFC  Manning’s  father  at  Ms. 
Van  Alstyne’s  residence,  so  we  contacted  Ms.  Van  Alstyne  to  see  if  she  had  received  the  box  as  well  as  to 
inquire  into  any  other  items  of  evidentiary  value  in  the  basement  room  where  PFC  Manning  had  stayed. 

2.  When  we  arrived  on  2  November  2010, 1  noticed  that  many  of  PFC  Manning’s  personal  items  that  had 
been  strewn  about  in  June  2010,  when  1  last  visited  Ms.  Van  Alstyne,  were  now  organized  into  plastic 
containers.  During  the  process  of  looking  through  the  containers,  we  identified  several  items  of  digital 
media,  including  digital  memory  cards.  With  Ms.  Van  Alstyne’s  consent,  we  collected  these  items  of 
digital  media.  One  of  the  items  we  collected  was  an  SD  memory  card,  bearing  the  serial  number 
BE0915514353G.  Ms.  Van  Alstyne  identified  this  SD  memory  card  as  the  property  of  PFC  Manning. 

3.  Using  standard  evidence  collecting  procedures,  I  collected  this  SD  memory  card  by  marking  it  with 
“2123, 2  Nov  10,  MAM”  for  identification.  I  then  recorded  it  as  Item  2  on  a  DA  Form  4137  marked  as 
document  number  (DN)  162-10.  Using  the  DA  Form  4137, 1  properly  released  this  piece  of  evidence  to 
the  CCIU  evidence  custodian,  Ms.  Tamara  Mairena  on  3  November  2010.  While  in  possession  of  this 
item,  1  maintained  control  over  it,  stored  it  properly,  and  allowed  no  one  else  access  to  the  SD  card.  I  did 
not  alter  the  evidence  in  any  way.  I  have  no  reason  to  believe  this  evidence  was  damaged  or 
contaminated  in  any  way. 

4.  Prosecution  Exhibit*^ for  Identification  is  the  SD  card  (Item  2  of  P'T 
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It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  SA 
Ronald  Rock  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this  court- 
martial,  he  would  testify  substantially  as  follows: 

1 .  I  currently  work  as  a  Special  Agent  with  the  U.S.  Department  of  State  (DoS).  Diplomatic 
Security  Service  (DSS).  Prior  to  becoming  a  Special  Agent  with  the  DSS,  I  served  as  a  Sergeant 
on  the  DSS,  Uniformed  Division  from  1999-2001.  There,  1  provided  oversight  for  over  fifty 
uniformed  officers  at  nine  DoS  annexes  in  Washington,  D.C.  and  Maryland.  I  graduated  from 
the  DSS,  Basic  Special  Agent  Class  in  July  2002  where  I  won  the  DSS  Director’s  award  as  the 
top  graduate.  Since  then,  I  have  served  in  the  DSS  Washington  Field  Office  (2002-2004);  the 
Secretary  of  State's  Protective  Detail  (2004-2006);  U.S.  Embassy  Bogota  (Colombia)  (2006- 
2008);  the  National  Defense  Intelligence  College  (2008-2009);  the  Special  Investigations 
Division  (2009-2012).  During  my  three  years  in  the  Special  Investigations  Division  (SID), 
where  I  was  promoted  to  Acting  Branch  Chief  in  charge  of  supervising  seven  other  special 
agents,  my  portfolio  included  the  responsibility  for  investigating  cases  of  criminal  and 
administrative  misconduct  by  DoS  employees,  their  family  members  and  contractors,  as  well  as 
employees  from  other  agencies  under  Chief  of  Mission  authority  at  U.S.  Consulates  and 
Embassies  worldwide.  I  led  the  investigative  effort  lor  DSS  on  several  high  profile  cases 
involving  the  unauthorized  disclosure  of  DoS  classified  information.  Additionally,  I  drafted  the 
standard  operating  procedure  by  which  SID  currently  investigates  leaks  of  DoS  classified 
information. 

2.  I  currently  work  at  the  U.S.  Consulate  in  Mazar-e  Sharif,  Regional  Command  North, 
Afghanistan.  There,  my  team  and  I  are  responsible  for  the  safety  and  security  of  all  American 
diplomats  who  travel  through  the  nine  provinces  comprising  Northern  Afghanistan. 

3.  In  this  case,  I  was  involved  with  the  coordination  for  evidence  collection,  as  well  as  the  actual 
collection  of  evidence  at  the  DoS.  Specifically,  I  coordinated  with  DoS  Deputy  Chief 
Information  Officer  (DCIO)  Charlie  Wisecarver  to  obtain  a  CD  containing  Department  of  State 
SIPRNET  firewall  log  traffic  for  IP  addresses  22.225.41.40  and  22.225.41.22.  On  14  October 
2010, 1  visited  DCIO  Wisecarver  in  Washington,  D.C.  and  collected  a  disk  containing  the 
firewall  logs  from  the  DoS  classified  system.  The  disk  was  a  silver  CD  bearing  the  markings 
•‘Wikileaks  DoS  Firewall  Logs  13  Oct  10.”  It  bore  a  US  Government  SECRET  sticker.  This 
disk  was  important  to  our  investigation  as  the  logs  showed  connections  between  the  DoS  NCD 
database  and  the  IP  addresses  of  the  SIPRNET  machines  assigned  to  PFC  Manning. 
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4.  On  15  October  2010, 1  signed  the  CD  marked  with  the  words  “Wikileaks  DoS  Firewall  Logs 
13  October  2010”  over  to  SA  John  Wilbur.  I  handled  this  evidence  consistent  with  procedures  as 
I  have  been  trained.  When  signing  over  the  evidence,  I  used  a  Department  of  the  Army  Evidence 
Property  Document  (DA  Form  4137)  with  the  label  DN  151-10  and  this  CD  was  item  1  (BATES 
numbers:  0041 1151-00411152).  While  in  possession  of  this  evidence,  I  maintained  positive 
control.  I  did  not  alter  the  information  on  the  CD.  I  have  no  reason  to  believe  this  evidence  was 
damaged  or  contaminated  in  any  way.  I  did  not  touch  this  evidence  again. 

5.  Prosecution  Exhibit  68  for  Identification  is  this  CD  (DN  151-10,  Item  1). 
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It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Mr.  Doug 
Schasteen  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this  court-martial,  he 
would  testify  substantially  as  follows: 

1.  While  1  currently  work  for  a  private  software  company  in  Seattle,  Washington,  I  was  previously  the  IT 
Director  at  Willco  Technologies.  I  held  that  position  for  six  years.  In  that  position,  I  took  care  of  all  the 
technology-related  tasks  and  served  as  the  main  point  of  contact  and  database  administrator  for  the  U.S. 
Army’s  Training  &  Certifications  Tracking  System  (ATCTS).  The  U.S.  Army  hired  Willco  Technologies 
to  build  and  then  maintain  a  database  tracking  system  for  U.S.  Army  Information  Assurance  (IA) 
certifications.  I  developed  the  database  and  oversaw  its  development. 

2.  I  recognize  Prosecution  Exhibit  (PE)IP-i  for  Identification  (BATES  numbers:  0041 1400  - 

0041 1401 )  as  a  print  out  from  the  ATCTS.  ATCTS  is  the  database  I  built,  and  it  tracks  the  activity  status 
of  U.S.  Army  personnel  as  well  as  the  dates  of  the  users’  information  assurance  (IA)  training 
certifications.  I  recognize  PE\)t|for  ID  as  the  one  I  provided  on  3 1  January  2012  to  investigators  in  the 
present  case  against  PFC  Manning.  Along  with  PE  1)^  for  ID,  I  provided  an  attestation  to  its  authenticity 
notarized  by  a  Notary  Public  and  it  is  identified  at  BATES  number:  0041 1399. 

3.  PE M  for  ID  shows  PFC  Manning’s  IA  certification  status.  It  shows  that  the  user  name:  “Bradley 


Manning  ’  is  no  longer  active  in  our  system.  All  soldiers  must  have  IA  training,  at  least,  on  a  yearly  basis. 
As  a  soldier,  he  would  have  an  account  in  our  system.  PE  \)^for  ID  shows  PFC  Manning’s  IA  trainings 
were  dated  5  September  2008  and  then  3 1  October  2009.  This  tells  us  that  PFC  Manning  had  received 
the  yearly  IA  training  and  associated  certification  necessary  for  computer  usage  through  October  2010. 

As  of  the  time  I  provided  this  print  out  in  January  of  2012,  PFC  Manning  had  an  “inactive  status”. 
Accordingly,  his  account  had  been  disabled  and  he  wouldn’t  be  able  to  log  in.  A  user  attains  this  status 
when  (s)he  is  not  in  compliance  with  the  yearly  IA  requirement.  For  users  who  are  in  compliance,  their 
unit  identifiers  show  up  in  the  lines  indicating  “command”  and  “unit”. 

4.  This  training  information  is  collected  automatically  by  the  Army  Signal  Command  at  Fort  Gordon, 
GA,  when  a  user  completes  the  annual  IA  exam  online.  It  is  then  transmitted  to  our  system  for  automatic 
updating.  Our  system  further  tracks  the  extra  training  necessary  for  users  who  are  certified  as  system 
administrators.  Our  system  shows  PFC  Manning  has  not  had  any  of  the  required  system  administrator 
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24  pages 
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’’SECRET" 

ordered  sealed  for  Reason  2 
Military  Judge’s  Seal  Order 
dated  20  August  2013 
stored  in  the  classified 
supplement  to  the  original 
Record  of  Trial 


Number 

fP 

Date/  Time 

Time  Zone 

"GET  /intelink. wiD. ismc. SROv.ROv/search/default.aspx?q=jtf+gtmo  HTTP/l.l"  200  10446  "http://www.mtelmk.SEQv.gov/home.aspx - . 

"GET  /intelink. wip. ismc.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments  HTTP/1.1  200  34061 

GMT+0000 

"GET  /intelink.wip. ismc. sgov.gov/w/index.php?title=-&action=raw&gen-css&maxage=18000&smaxage-0&ts-20100305032147  HTTP/1.1  200  370 

'http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee_Assessments" _ . — . — - 

"GET  /intelink. wip.ismc.sgov.gov/inteldocs/action.php?kt path info-ktcore.actions.document.view&fDocumentld-132787  HHP/l.l  uouu 

"GET /intelink.  wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view8ifDocumentld  132787  HTTP/1.1  200  38/402 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld=132802  HTTP/1.1  000  0 

"http://www.intelink.SROv.gov/wiki/JTF-GTMO  Detainee_Assessments" - - - „  . . - 

•'GET  /intelink. wip. ismc.sgov.gov/inteldocs/action.php7kt_pathjnfo-ktcore. actions. document. view&fDocumentld-132802  HTTP/l.l  2UU4bZ»5:> 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee_Assessments" - — - 

"GET /intelink.wip.  ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view8ifDocumentld=13UU93  hi  ip/i.i  uuuu 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detamee Assessments; - .  

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathjnfo=ktcore.actions.document.view8ifDocumentld-130093  HTTP/l.l  200  240889 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" - - - - - - — . . 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=132793  HTTP/l.l  000  0 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee Assessments" . . . .  . . - 

3/5/2010  3:25 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathjnfo'ktcore.actions.document.view&tDocumentld-i32/y4  nMP/i.i  20U  281921 

3/5/2010  3:25 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld  132793  HTTP/l.l  000  0 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee_Assessments" - - - - — . . 

3/5/2010  3:25 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/actTon.php?kt_path_info=ktcore.actions.document.view&fDocumentld=130098  HTTP/l.l  000 0 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments; _  _ _ _ = - 

22.225.41.22 

3/5/2010  3:25 

GMT+0000 

"GET /intelink.wip. ismc. sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document. view8ifDocumentld-130098  HTTP/l.l  200  266809 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments; - - - , — r: - 

3/5/2010  3:26 

GMT+0000 

"GET  /intelink.wip. ismc. sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document. view8ifDocumentld=130114  HTTP/l.l  000  0 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments"  . . . . .  -g  - 

3/5/2010  3:26 

GMT+0000 

"GET /intelink.wip. ismc. sgov.gov/inteldocs/action. php?kt_pathJnfo=ktcore.actions.document.view&tDocumentld=130114  HTTP/l.l  200  260078 

"http://www.intelink.sgov.gov/wiki/JTFjTMg  Detainee_Assessments" _ _ _ _ _ _ _ _ 

22.225.41.22 

3/5/2010  3:26 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_pathJnfo-ktcore.actions.document.view&fUocumentld-132792  HTTP/l.l  uuu  u 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO Detainee Assessments"  „m,uTTI„1  - 

22  225  41.22 

3/5/2010  3:26 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path mfo=ktcore.actions.document.view&fDocumentld  132792  HTTP/l.l  200  457228 

•'http://www.intelink.sRov.gov/wiki/JTF-GTMO.Detainee  Assessments; - - - - — - - - - 

22.225.41.22 

3/5/2010  3:28 

GMT+0000 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee_Assessments" - - - _  „„nr  - 

22.225.41.22 

3/5/2010  3:28 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document.view8ifDocumentld-132795  HTTP/l.l  200  303277 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" - - 

22.225.41.22 

3/5/2010  3:28 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view&fDocumentld-13 7934  hi  ip/i.i  uuuu 

"httn://www.intelink.seov.gov/wiki/JTF-GTMO  Detainee_Assessments" _ _ _ _ _ _  _ _ _ ,-q - 

3/5/2010  3:28 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?ktjpath_info=ktcore.act»ons.document.view&tDocumentid-i3/934  HTTP/l.l  200  2755033 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments"  - - - 

23 

3/5/2010  3:28 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.phpPkt_path_mfosktcore.actJOns.document.view8ifDocumentld-137930  HTTP/l.l  000  0 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments'1 _ _ _ _ _ _ _ 

24 

22.225.41.22 

3/5/2010  3:28 

GMT+0000 

"GEX  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document. view&fDocumentld=137930  HTTP/l.l  2tXJ83b8/ 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" _ _ _ 

PROSECUTION  EXHIBIT  12. for  idgffliffifotion 

PAGE  OFFERED: _ PAGE  ADMITTED: _ 

PAGE _ OF _ PAGES 


im — 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info-ktcore.actions.document.view&fDocumentld-132800  HTTP/1.1  000  0 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=132800  HTTP/1.1  200  749447 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document.view&fDocumentld-132788  HTTP/1.1  000  0 

’GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld-132788  HTTP/1.1  20U  17/932 

"GET  /intelink.wip.ismc. sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document. view&fDocumentld=132796  HTTP/1.1  000  0 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path mfo=ktcore.actions.document.view&fDocumentld  13279b  MI  fh/i.i  2UU39152o 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments^ - - - - - 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=137917  H I  TP/1.1  2UU  BblbU 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view&f0ocumentld=132784  HTTP/1.1  504  492 

GMT+0000 

“GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view8tfDocumentld=13/333  hi  ip/i.i  2uu  ossio 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee.Assessments" - - - -  ■ . . - 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document.viewgifDocumentld=137929  HTTP/1.1  2U0  2b/4/U2 
"http://www.intelink.sROv.Rov/wiki/JTF-GTMO  Detainee  Assessments" 

35 

22.225.41.22 

3/5/2010  3:30 

GMT+0000 

"GET  /intelink. wip.ismc.sgov.gov/inteldocs/action.php7kt _path_info=ktcore.actions.document.view&fDocumentld=137935  HTTP/1.1  200  161202 

36 

22.225.41.22 

3/5/2010  3:30 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document.view&fDocumentld:=137926  HTTP/1.1  504  492 

"httD://www.  intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments"  _ . _ 

37 

22.225.41.22 

3/5/2010  3:31 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info-ktcore.actions.document.view8ifDocumentld-132790  HTTP/1.1  504  492 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments'' _ _  _ _ _ 

38 

22.225.41.22 

3/5/2010  3:32 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document. view&fDocumentld=;132783  HTTP/1.1  200  161441 

"http://www.intelink.sgov.ROv/wiki/JTF-GTMO  Detainee  Assessments" 

39 

22.225.41.22 

3/5/2010  3:32 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld=137922  HTTP/1.1"  200  4401442 
"http7/www  intelink.seov.eov/wiki/JTF-GTMO  Detainee  Assessments" _ _ _ _ _ _ — - - - - 

22.225.41.22 

3/5/2010  3:33 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=132798  HTTP/1.1  5U4  492 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

41 

22.225.41.22 

3/5/2010  3:34 

GMT+0000 

"GET /intelink.wip.ismc. sgov.gov/inteldocs/action. php?kt_path__info=ktcore. actions. document.view&fDocumentld-132791  hi  i p/i.i  2UU  55/8U2 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO Detainee Assessments"  ...cnTT?; - 

42 

22.225.41.22 

3/5/2010  3:34 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info-ktcore.actions.document.view(SitDocumentid  130139  HTTP/1.1  504  492 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments" - . — _ _ 

43 

22.225.41.22 

3/S/2010  3:35 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.viewg1tDocumentld-13UO//  H 1 1  p/l.i  200  260518 

”htto7/www. intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

22.225.41.22 

3/5/2010  3:36 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld-130039  HTTP/1.1  200  298707 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

22.225.41.22 

3/5/2010  3:37 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld=130034  HTTP/1.1  200  256566 

“httn://www. intelink. sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" _ _ _ _ — - - 

22.225.41.22 

3/5/2010  3:38 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld-130184  HTTP/1.1  200  256718 
"http://www.intelink.sgovgov/wiki/JTF-GTMO Petainee Assessments" 

47 

22.225.41.22 

3/5/2010  3:38 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.viewt4tUocumentia-i3Ui4s  m  i  IP/1.1  200  239831 

"httD-//www. intelink.SROv.gov/wiki/JTF-GTMO  Detainee  Assessments"  

48 

22.225.41.22 

3/5/2010  3:38 

GMT+0000 _ 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/aaion.php?kt_pathJnfo-ktcore.actions.document.view8ltUocumentld- 130045  HTTP/1.1  200  265481 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" _ _ _ — 

GMT+0000 

"GET  /mtelink.wipJsmc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld-132807  HTTP/1.1  200  bibubb 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

GMT+OOOO 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document. view8ifDocumentld-130015  HTTP/1.1  200  262433 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld  130154  HTTP/1.1  200  2//5b4 

"http://wvyw.intelink.SRov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action.php?ktjpathJnfo=ktcore.actions.document.view&tDocumentld  130090  Hr  ip/i.i  zuO  280184 

GMT+0000 

“GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document. viewiitDocumentld-1328U4  hi  ip/li  2uu  6b lib/ 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov. gov/inteldocs/action.php?kt path info=ktcore. actions. document.view&tDocumentld-132/y/  H 1 1  p/1.1  2uu  256947 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

"GET /intelink.wip.ismc.sgov. gov/inteldocs/action.php?kt path info=ktcore. actions. document.view&tDocumentld=l30ll /  Ml  IP/1.1  200  253425 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

GMT+OOOO 

"GET  /int'eiink. wip.ismc.sgov.gov/inteld ocs/action.php?kt pathJnfb=ktcore.actions.document.view&fDocumenttd=130083  HTTP/1.1  200  271948 

3/5/2010  3:40 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov. gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=130082  HTTP/1.1  200  264895 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

GMT+OOOO 

"GET /intelink. wip.ismc.sgov.gov/inteldocs/action.php7kt path info=ktcore. actions. document. view&fDocumentld-130165  HTTP/1.1  200  302447 

59 

22.225.41.22 

3/5/2010  3:41 

GMT+OOOO 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document.view&fDocumentld-130120  HTTP/1.1  200  256389 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

60 

22.225.41.22 

3/5/2010  3:41 

GMT+OOOO 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&tDocumentid-13Ul /4  h  f  1  P/i.i  200  259258 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_AssessmentsH _ .  „ _ _ _ 

61 

22.225.41.22 

3/5/2010  3:41 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=132803  HTTP/1.1  200638932 

62 

22.225.41.22 

3/5/2010  3:41 

GMT+OOOO 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view&fDocumentld=137923  HTTP/1.1  200  488218 

63 

22.225.41.22 

3/5/2010  3:41 

GMT+OOOO 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php7kt path info=ktcore.actions.document.view&tDocumentid=l3Ul24  Hi  IP/i.l  ^uu  z96922 

64 

22.225.41.22 

3/5/2010  3:41 

GMT+OOOO 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action.php7kt pathJnfo=ktcore.actions.document.view&tDocumentid-i32/99  m  1 1  P/1.1  200  557101 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee_Assessments" _ _ _ — - - - - 

65 

22.225.41.22 

3/5/2010  3:41 

GMT+OOOO 

"GET /intelink. wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document. view&fDocumentld-132806  HTTP/1.1  200  667523 

66 

22.225.41.22 

3/5/2010  3:42 

GMT+OOOO 

"GET  /intelink. wip.ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=132786  HTTP/1.1  200  645392 

"http://www.intelink.sgov.gov/wiki/JTF-GTMQ Detainee Assessments" ^ - 

67 

22.225.41.22 

3/5/2010  3:42 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view8(tDocumentld-132805  H 1 1  P/1.1  200  741723 

68 

22.225.41.22 

3/5/2010  3:42 

GMT+OOOO 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view8ifDocumentld=132789  HTTP/1.1  200  657377 

22.225.41.22 

3/5/2010  3:42 

GMT+OOOO 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view8ifDocumentld=132785  HTTP/1.1  200  270624 

"http://www.intelink.SROv.gov/wiki/JTF-GTMO  Detainee  Assessments" 

70 

22.225.41.22 

3/5/2010  3:42 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov  ,gov/inteldocs/action.php?kt  _path_info=ktcore.actions.document.view&fDocumentld=132801  HTTP/1.1  200  433518 

71 

22.225.41.22 

3/5/2010  3:42 

GMT+OOOO 

"GET /intelink. wip.ismc.sgov.gov/inteldocs/action.php7kt path info-ktcore. actions. document. view8ifDocumentld=132794  HTTP/1.1  200  569293 

72 

22.225.41.22 

3/5/2010  3:42 

GMT+OOOO 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document.view8ifDocumentld=132826  HTTP/1.1  200371015 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" _ _ _ 

IP 

Time  Zone 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document.view&fDocumentld=132829  HTTP/1. 1”  200  236318 

'http://www.intelink.seov.Eov/wiki/JTF-GTMO  Detainee  Assessments"  - - - 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt_pathjnfo=ktcore. actions. document.view&fDocumentld=132818  HTTP/1.1  2U0  12Ulb/ 

“http://www.intelink.sgov.eov/wiki/JTF-GTMO  Detainee  Assessments" - - 

GMT+0000 

"GET  /intelink.wip.ismc. sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document.view&fDocumentld-132827  HTTP/1.1  200  465U12 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/atf  ion. php?kt jD3thJnfo=ktcore.atf  ions.document.view&tDocumentld-1328ll  h  i  i  y/ l.x  zuu  oiobtx* 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" _ 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document.view&fDocumentld-13UU9S  Hi  ip/i.i  2uu  z/<»y2y  j 

"GET /intelink.wjp.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&f0ocumentld=132830  HTTP/1.1  200  464514 

"http://www.intelink.sgov.eov/wiki/JTF-GTMO  Detainee  Assessments" 

GMT+0000 

"GET /intelink.wip.ismc.5gov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld-132809  HTTP/1.1  200  643230 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments"  - - 

GMT+0000 

"GET  /intelink.wip.ismc. sgov.gov/inteldocs/action. php?kt_path_info-ktcore.actions!aocument.view&fDocumentld-132817  HTTP/1.1  200  436493 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathjnfo=ktcore.actions.document.view&fDocumentld-132819  HTTP/1.1  200  285811 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments"  . . . . _ _ 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld=132833  HTTP/1.1  200  503411 

22.225.41.22 

3/5/2010  3:43 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld-132813  HTTP/1.1  200  93944 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments"   

84 

22.225.41.22 

3/5/2010  3:43 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldoc5/action.php7kt path Jnfo=ktcore.actions.document.view&fDocumentld=132825  HTTP/l.l  200112887 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO Detainee Assessments'' -  -  uttdm  imjcccn - 

85 

22.225.41.22 

3/5/2010  3:43 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathj'nfo=ktcore.actions.document.view&fDocumentld=137920  HTTP/l.l  200  48bbi  / 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments"  - 

22.225.41.22 

3/5/2010  3:43 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=132832  HTTP/l.l  200153377 

"http://www.intelink.SEOv.gov/wiki/JTF-GTM0.  Detainee Assessments" m  - 

22.225.41.22 

3/5/2010  3:43 

GMT+0000 

"GET /intelink.  wip.ismc.sgov.gov/inteldocs/action.php7kt path info-ktCOre  .actions.document.view&fDocumentld  132810  HTTP/l.l  200  3380950 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments" - - - , — _ — - 

88 

22.225.41.22 

3/5/2010  3:43 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document.view&fDocumentid-l32828  HTTP/l.l  200  761493 
"http://www.inte^ink.sgov■gov/wiki/JTF-GTMO Detainee Assessmentsl, - 

89 

22.225.41.22 

3/5/2010  3:44 

GMT+0000 

"GET /intelink. wip.ismc.sgov.gov/inteldocs/atfion.php7lct path Jnfosktcore.actions.document.vlew&fDocumentld=132822  HTTP/l.l  200  3b 7ii2 

90 

22.225.41.22 

3/5/2010  3:44 

GMT+0000 

22.225.41.22 

3/5/2010  3:44 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php7kt_path_info-ktcore. actions. document.view&fDocumentld-132824  HTTP/l.l  200  372095 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

22.225.41.22 

3/5/2010  3:44 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld-130133  HTTP/l.l  200  314U52 

93 

22.225.41.22 

3/5/2010  3:46 

GMT+0000 

"GET '/intelink. wip.ismc.sgov.gov/inteld ocs/action.php?kt_path_info=ktcore.actions.document.view8ifDocumentld-132816  HTTP/l.l  200  760483 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee  Assessments"  - .  . .  . . 

22.225.41.22 

3/5/2010  3:46 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action.php7kt_path_info-ktcore.actions.document.view8itDocumentld-137928  HTTP/l.l  200  542257 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments: . . . . — - 

95 

22.225.41.22 

3/5/2010  3:46 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld-130003  HTTP/l.l  2UU  264 lur 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments"  - 

96 

22.225.41.22 

3/5/2010  3:46 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.viewl4tDocumentld-137925  HTTP/l.l  200  58798 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" _ 

Time  Zone 

Action  - 

3/5/2010  3:46 

GMT+0000 

"GET  /intelink.wi  pJsmc.sgov.gov/inteldocs/action  .php?kt_path_info=ktcore.actions.document.view&fDocumentld-137931  HTTP/1.1  200  4360348 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

GMT+0000 

"GET  /intelink.wip.  ismc.sgov.gov/inteldocs/action.  php?kt_path_info=ktcore.actions.document.view&fDocumentld=132821  HTTP/1.1  504  492 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info-ktcore.actions.document.view8ifDocumentld=137919  HTTP/1.1  200  4021606 

3/5/2010  3:46 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info-ktcore.actions.document.view&fDocumentld=132815  HTTP/1.1  200  381626 

GMT+0000 

"GET /intelink.  wip.ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view&fDocumentld-132820  HTTP/1.1  504  492 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info-ktcore.actions.document.view&fDocumentld=130041  HTTP/1.1  200  218967 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions. document. view&fDocumentld=130127  HTTP/1.1  200  286245 

3/5/2010  3:50 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info-ktcore.actions.document.view&tDocumentld=132823  H 1 1  P/l.l  zuo  3Zbu28 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view&tDocumenti(J-i30l/8  h  i  i  v/i.i  5u4  492 

"httD://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

3/5/2010  3:50 

GMT+0000 

"GET /intelink.wip, ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld=137932  HTTP/1.1  200  110949 

107 

22.225.41.22 

3/5/2010  3:51 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view8ifDocumentld-137927  HTTP/1.1  200  161074 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

108 

22.225.41.22 

3/5/2010  3:51 

GMT+0000 

"GET  /intelink.  wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktco  re. actions.document.view8ifDocumentld-132812  HTTP/1.1  504  492 

109 

22.225.41.22 

3/5/2010  3:53 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132814  H1TP/1.1  5U4  4yz 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

110 

22.225.41.22 

3/5/2010  3:53 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=132854  HTTP/1.1  504  492 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

111 

22.225.41.22 

3/5/2010  3:53 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.action$.document.view&fDocumentld-132848  HTTP/1.1  504  492 

112 

22.225.41.22 

3/5/2010  3:54 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld-137921  HTTP/1.1  504  492 

113 

22.225.41.22 

3/5/2010  3:54 

GMT+0000 

"GET  /intelink.  wip.ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=137918  HTTP/1.1  200  46221Ub 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

114 

22.225.41.22 

3/5/2010  3:55 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&tDocumentld=144739  H 1 1  P/1.1  200  159677 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

115 

22.225.41.22 

3/S/2010  3:57 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&tDocumentld-137924  HllP/l.i  504  492 

116 

22.225.41.22 

3/5/2010  3:57 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld-132840  HTTP/1.1  200  112b44 

117 

22.225.41.22 

3/5/2010  4:03 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&tDocumentld-l44U3b  HllP/l.i  000  0 

118 

22.225.41.22 

3/5/2010  4:03 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=144036  HTTP/1.1  000  0 
"http  //www. intelink. sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

119 

22.225.41.22 

3/5/2010  4:04 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view&fDocumentld-14403b  Ml  tp/l.l  200  132797 

120 

22.225.41.22 

3/5/2010  4:04 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld-144739  HTTP/1.1  000  0 

IP 

Time  Zone 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view8ifDocumentld=144739  H1TP/1.1  2UU  1696// 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

22.225.41.22 

3/5/2010  4:04 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document.view&fDocumentld-132843  HT 1  P/1.1  000  0 

123 

22.225.41.22 

3/5/2010  4:04 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document. view&fDocumentld=132843  HTTP/1.1  200  462311 

GMT+0000 

"GET  /lntelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld=13283b  HTTP/l.l  2uu  45/830 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" _ _ _ 

3/5/2010  4:04 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld-144034  HTTP/l.l  000  0 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  .Assessments" 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld-144034  H 1 1  P/l.l  2uu  b33Zb 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments” 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathjnfo=ktcore.actions.document.view&fDocumentld-144038  HTTP/l.l  0000 

3/5/2010  4:04 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document.view&fDocumentld=144038  HTTP/l.l  2u0  61922 

3/5/2010  4:04 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld-132837  HTtP/l.l  000  0 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld=132837  HTTP/1.1  200  191/02 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

22.225.41.22 

3/5/2010  4:05 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.viewf4tDocumentld=144/39  Hi  IP/1.1  uuuO 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

132 

22.225.41.22 

3/5/2010  4:05 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld-144739  HTTP/1.1  200  159677 

133 

22.225.41.22 

3/5/2010  4:05 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path _info=ktcore.actions.document.view8ifDocumentld=132839  HTTP/1.1  000  0 

134 

22.225.41.22 

3/5/2010  4:05 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=132839  HTTP/1.1  200  702469 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

135 

22.225.41.22 

3/5/2010  4:06 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view&tDocumentid-14403/  h  i  i  p/i.i  uuu  u  | 

136 

22.225.41.22 

3/5/2010  4:06 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document.view&fDocumentld-14403  7  Hi  TP/l.l  200  290709 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

137 

22.225.41.22 

3/5/2010  4:07 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view&fDocumentld=132842  HTTP/1.1  000  0 

138 

22.225.41.22 

3/5/2010  4:07 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document. view&tDocumentld-132842  H  \  I  P/l.1  i>U4  4y2 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO Detainee Assessments11 

139 

22.225.41.22 

3/5/2010  4:07 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore. actions. document.view&fDocumentld-132838  H 1 1  P/l.l  000  0 

140 

22.225.41.22 

3/5/2010  4:07 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld-132838  H TTP/1.1  200  714131 

141 

22.225.41.22 

3/5/2010  4:07 

GMT+0000 

"GET  /intelink.wip.ismc. sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view&fDocumentld-144035  H 1 1  P/l.l  uuu  u 

142 

22.225.41.22 

3/5/2010  4:07 

GMT+0000 

“GET  /intelink.wip. ismc. sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document. view8ifDocumentld=144035  HTTP/1.1  200  4897266 

143 

22.225.41.22 

3/5/2010  4:07 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt _path_info=ktcore. actions. document.view&fDocumentld-132858  http/i.i  UUUU 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

144 

22.225.41.22 

3/5/2010  4:07 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view8ifDocumentld-132858  HTTP/1.1  200  693570 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

Timo  7nnp 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld-1301bl  HI  l  p/l.l  uuu  u 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld-130161  HTTP/1.1  504  491 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteld  ocs/action.php?kt_path_info=ktca  re. actions. document.view8ifDocumentld=144014  HTTP/1.1  504  492 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view&fDocumentld-130053  HTTP/1.1  504  491 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view8ifDocumentld-132853  HTTP/1.1  200  296188 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&tDocumentld=l44Ul3  hi  i P/l.l  5U4  4si 

3/5/2010  4:11 

GMT+0000 

"GET  /intelink.wip.  ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.  actions.  document.view&fDocumentld-132841  HTTP/1.1  504  492 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld=132857  HTTP/1.1  200  988187 

"htto7/www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view8ifDocumentld-132851  HTTP/1.1  200  684158 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=144015  HTTP/1.1  200  4008482 

155 

22.225.41.22 

3/5/20104:13 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info-ktcore.actions.document.view&fDacumentld-144011  HTTP/1.1  200  499479 

"http //www.intelink.sgov  gov/wiki/JTF-GTMO  Detainee  Assessments" 

156 

22.225.41.22 

3/5/2010  4:15 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document.view&fDocumentld=144U16  h  \  \  P/l.l  20u  106515 

157 

22.225.41.22 

3/5/2010  4:15 

GMT+0000 

"GET  /intelink.wip.ismc. sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document.viewfifDocumentld-132859  HTTP/1.1  200  545269 

158 

22.225.41.22 

3/5/2010  4:15 

GMT+0000 

"GET  /intelink.wip. ismc. sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document.view8ifDocumentld-144012  HTTP/1.1  200  225189 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

159 

22.225.41.22 

3/5/20104:15 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=130013  HTTP/1.1  200  267600 

160 

22.225.41.22 

3/5/2010  4:15 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocument!d=132855  HTTP/l.l  200  2914686 

161 

22.225.41.22 

3/5/2010  4:15 

GMT+0000 

"GET /intelink.wip. ismc. sgov.gov/inteldocs/action.php?kt_pathJmfo=ktcore. actions. document.view&tDocumentlO=13284b  mi  ip/i.i  504  491 

162 

22.225.41.22 

3/5/2010  4:16 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=130112  HI  I  P/l.l  5U4 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

163 

22.225.41.22 

3/5/2010  4:16 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view8ifDocumentld-13284/  HI  IP/1.1  504  4yi 

164 

22.225.41.22 

3/5/2010  4:16 

GMT+0000 

"GET /intelink.wip. ismc. sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view8ifDocumentld=:144009  HTTP/l.l  200  4478631 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

165 

22.225.41.22 

3/5/2010  4:16 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view8ifDocumentld-144740  HTTP/l.l  504  492 

166 

22.225.41.22 

3/S/2010  4:19 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view8ifDocumentld-144032  HTTP/l.l  200  549280 

167 

22.225.41.22 

3/5/2010  4:19 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view8ifDocumentld-144008  HTTP/l.l  504  491 

"http://www-intelink.sgov.gov/wiki/JTF-GTMO  Detainee AssessmentsM   , 

168 

22.225.41.22 

3/5/2010  4:20 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=kt core. actions. document.view8ifDoaimentld=132856  HTTP/l.l  504  492 

Number 

IP 

Date/  Time 

Time  2one 

Action 

169 

22.225.41.22 

3/5/2010  4:20 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=144007  HTTP/1.1"  200  2448742 

''http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

170 

22.225.41.22 

3/5/2010  4:20 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view8ifDocumentld=144022  HTTP/1.1"  200  2523980 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

171 

22.225.41.22 

3/5/2010  4:22 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=132835  HTTP/1. 1"  200  150729 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

172 

22.225.41.22 

3/5/2010  4:23 

GMT+0000 

"GET  /intelink. wip.ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.doaiment.view8ifDacumentld=144023  HTTP/1.1”  200  555751 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

173 

22.225.41.22 

3/5/2010  4:23 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view8(fDocumentld=:144030  HTTP/1. 1"  200  448576  j 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments"  1 

174 

22.225.41.22 

3/5/2010  4:24 

GMT+0000 

”GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=144025  HTTP/1.1"  200  69347 

''http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

175 

22.225.41.22 

3/5/2010  4:24 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=132850  HTTP/1.1"  200  165761 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

176 

22.225.41.22 

3/5/2010  4:24 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld=144027  HTTP/1.1”  200  882777 

''http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

177 

22.225.41.22 

3/5/2010  4:24 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=144021  HTTP/1.1"  200  75811 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

178 

22.225.41.22 

3/5/2010  4:24 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=144024  HTTP/1. 1"  200  3025483 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

179 

22.225.41.22 

3/5/2010  4:25 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=132849  HTTP/1. 1"  200  641460 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

180 

22.225.41.22 

3/5/2010  4:25 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=129992  HTTP/1.1"  200  242256 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

181 

22.225.41.22 

3/5/2010  4:25 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathjnfo=ktcare. actions. document. view&fDocumentld=132846  HTTP/1.1”  200  461375 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

182 

22.225.41.22 

3/5/2010  4:27 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld =132844  HTTP/1.1"  200  333342 

“http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

183 

22.225.41.22 

3/5/2010  4:27 

GMT+0000 

"GET /intelink.  wip.ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view8ifDocumentld=132852  HTTP/1.1"  200  714845 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

184 

22.225.41.22 

3/5/2010  4:27 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view8ifDocumentld=129990  HTTP/1. 1"  200  230721 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

185 

22.225.41.22 

3/5/2010  4:27 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info==ktcore.actions.document.view&fDocumentld=132915  H 1 1  P/1.1"  200  912900 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

186 

22.225.41.22 

3/5/2010  4:27 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=144031  HTTP/1.1"  200  208541 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

187 

22.225.41.22 

3/5/2010  4:28 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.artions.document.view&fDoaimentld=1300069  HTTP/1. 1“  200  14132 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

188 

22.225.41.22 

3/5/2010  4:28 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view8ifDocumentld=132920  HTTP/1.1"  200  309223 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

189 

22.225.41.22 

3/5/2010  4:28 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/artion. php?kt path info=ktcore.actions.document.view&fDocumentld=1329U  HTTP/1.1"  200  629072 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

190 

22.225.41.22 

3/5/2010  4:28 

GMT+0000 

"GET  /intelink.wip. ismc. sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document.view&fDocumentld=132905  HTTP/1.1"  200  310312 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

191 

22.225.41.22 

3/5/2010  4:28 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.viewgifDocumentld=132908  HTTP/1.1"  200  495071 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

192 

22.225.41.22 

3/5/2010  4:28 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=144026  HTTP/1.1"  200  212789 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

IP 

GMT+OOOO 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/3ction.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld-132922  H 1 1 P/1.1  2UU  24b229 

3/5/2010  4:29 

GMT+OOOO 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=130168  HTTP/1.1  200  215002 

3/5/2010  4:29 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document.view&fDocumentld-144020  HTTP/1.1  200186991 

3/5/2010  4:29 

GMT+OOOO 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view8ifDocumentld=132919  HTTP/1.1  200  220568 
''http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

197 

22.225.41.22 

3/5/2010  4:29 

GMT+OOOO 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcare. actions. document.view&fDocumentld=144029  HTTP/1.1  200  325237 

3/5/2010  4:29 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132912  HTTP/1.1  200  21/895 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

22.225.41.22 

3/5/2010  4:29 

GMT+OOOO 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132918  HTTP/1.1  200  2b5b21 

22.225.41.22 

3/5/2010  4:29 

GMT+OOOO 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view8itDacumentld-1301b3  HTTP/1.1  200  28U334 

22.225.41.22 

3/5/2010  4:29 

GMT+OOOO 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions. document. view&fDocumentld=132921  HTTP/1.1  200  267797 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

3/5/2010  4:29 

GMT+OOOO 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld-130072  HTTP/1.1  200  2b4016 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

203 

22.225.41.22 

3/5/2010  4:29 

GMT+OOOO 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=144028  H I  TP/l.l  2UU  2U5/82 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments” 

204 

22.225.41.22 

3/5/2010  4:29 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld- 130035  HTTP/1.1  200  273970 

205 

22.225.41.22 

3/5/2010  4:29 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld-132907  HTTP/1.1  200  4b00b4 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

206 

22.225.41.22 

3/5/2010  4:29 

GMT+OOOO 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_pathjnfo=ktcore.actions.document.view&fDocumentid=130141  HTTP/1.1  200  237819 

207 

22.225.41.22 

3/5/2010  4:29 

GMT+OOOO 

“GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=130192  HTTP/1.1  200  28864b 

208 

22.225.41.22 

3/5/20104:29 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld-132910  HTTP/1.1  200  418098 

"http://www.intelink.5gov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

209 

22.225.41.22 

3/5/2010  4:29 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132903  HTTP/1.1  2U0b9ii»8 

210 

22.225.41.22 

3/5/2010  4:30 

GMT+OOOO 

"GET  /intelink.wip.lsmc.sgov.gov/lnteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132904  HTTP/1.1  200  291443 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

211 

22.225.41.22 

3/5/2010  4:30 

GMT+OOOO 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132898  HTTP/1.1  200  98811U 

22.225.41.22 

3/5/2010  4:30 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld=132901  HTTP/1.1  200  2/2338 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

213 

22.225.41.22 

3/5/2010  4:30 

GMT+OOOO 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld-132900  HTTP/l.l  200  341403 

214 

22.225.41.22 

3/5/2010  4:30 

GMT+OOOO 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=132902  HTTP/l.l  200  8/bUb2 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

215 

22.225.41.22 

3/5/2010  4:30 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132916  HTTP/l.l  200  543719 

216 

22.225.41.22 

3/5/2010  4:30 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document. view&fDocumentld=132913  HTTP/l.l  200  900090 

IP 

Date/ Time 

Action 

217 

22.225.41.22 

3/5/2010  4:30 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document. view&fDocumentld= 132909  HTTP/1.1  200  573385 

"httD://www. intelink.scov.gov/wiki/JTF-GTMO  Detainee  Assessments” 

218 

22.225.41.22 

3/5/2010  4:30 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document. view&fDocumentld=130068  HTTP/1.1  200  266066 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

219 

22.225.41.22 

3/5/2010  4:31 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view8ifDocumentld=129950  HTTP/1.1  200  254770 

220 

22.225.41.22 

3/5/2010  4:31 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=kt  core. actions.document.view&fDocumentld=132914  HTTP/1.1  200  448922 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments” 

221 

22.225.41.22 

3/5/2010  4:31 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view8ifDocumentld=132917  HTTP/1.1  200  663497 

222 

22.225.41.22 

3/5/2010  4:31 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document.view&fDocumentld=132899  HTTP/1.1  200  212867 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

22.225.41.22 

3/5/2010  4:31 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document.view&fDocumentld=132906  HTTP/1.1  200  498085 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

224 

22.225.41.22 

3/5/2010  4:31 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=130066  HTTP/1.1  200  267088 

225 

22.225.41.22 

3/5/2010  4:31 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132942  HTTP/1.1  200  734061 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

226 

22.225.41.22 

3/5/2010  4:31 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld=130170  HTTP/1. 1”  200  260559 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

227 

22.225.41.22 

3/5/2010  4:31 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132944  HTTP/1.1  200  330516 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

228 

22.225.41.22 

3/5/2010  4:31 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document. view&fDocumentld= 132924  HTTP/1.1  200  622241 

229 

22.225.41.22 

3/5/2010  4:31 

GMT+0000 

”GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=130071  HTTP/1.1  200  197219 

230 

22.225.41.22 

3/5/2010  4:31 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132947  HTTP/1.1  200  2742429 

231 

22.225.41.22 

3/5/2010  4:32 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=129949  HTTP/1.1  200  277994 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

232 

22.225.41.22 

3/5/2010  4:32 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=144053  HTTP/1.1  200  59317 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

233 

22.225.41.22 

3/5/2010  4:32 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document. view8ifDocumentld=132939  HTTP/1.1  200  878904 

234 

22.225.41.22 

3/5/2010  4:32 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=144056  HTTP/1.1  200  125559 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

235 

22.225.41.22 

3/5/2010  4:32 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132938  HTTP/1.1  200  622686 

236 

22.225.41.22 

3/5/2010  4:33 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=l32946  HTTP/1.1  200135894 

"http://www.intelink.SROv.R0v/wiki/JTF-GTMO  Detainee  Assessments" 

237 

22.225.41.22 

3/5/2010  4:33 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathjnfo=ktcore.actions.document.view&fDocumentld=144045  HTTP/1.1  200  142455 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

238 

22.225.41.22 

3/5/2010  4:33 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathjnfo=ktcore.actions.document.view&fDocumentld=144057  HTTP/1.1  200  2509719 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

239 

22.225.41.22 

3/5/2010  4:33 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=144048  HTTP/1.1  200  1862058 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

240 

22.225.41.22 

3/5/2010  4:33 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=144047  HTTP/1.1  200  59325 

"http://www.intelink.SROv.gov/wiki/JTF-GTMO  Detainee  Assessments" 

IP 

Date/  Time 

Time  Zone 

241 

22.225.41.22 

3/5/2010  4:33 

GMT+0000 

"GET/intelmk.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=130140  HTTP/1.1  200  252688 

"http://www.intelink.sgov.Rov/wiki/JTF-GTMO  Detainee  Assessments" 

242 

22.225.41.22 

3/5/2010  4:34 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.attions.document.view&fDocumentld =132933  HTTP/1. 1"  200  736113 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

243 

22.225.41.22 

3/5/2010  4:34 

GMT+0000 

"GET  /intelink.wip.ismc.sgav.gov/inteldocs/action.php?kt path info=ktcore.actions.doajment.view&fDocumentld=132932  HTTP/1.1  200  793118 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

244 

22.225.41.22 

3/5/2010  4:34 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions. document. view&fDocumentld =13 2937  HTTP/1. 1"  200  805863 

"http://www.intelink.sgov.ROv/wiki/JTF-GTMO  Detainee  Assessments" 

245 

22.225.41.22 

3/5/2010  4:35 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=144044  HTTP/1.1"  200  150512 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

246 

22.225.41.22 

3/5/2010  4:35 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=144727  HTTP/1.1  200  58690S 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

1  247 

22.225.41.22 

3/5/2010  4:35 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132934  HTTP/1.1'  200  792356 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

248 

22.225.41.22 

3/5/2010  4:35 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132928  HTTP/1.1 ' 200  407943 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

249 

22.225.41.22 

3/5/2010  4:35 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132943  HTTP/1.1"  200  118514 

"http://www.intelink.sRov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

250 

22.225.41.22 

3/5/2010  4:35 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132948  HTTP/1.1  200  321678 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

251 

22.225.41.22 

3/5/2010  4:35 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld= 132926  HTTP/1.1  200  536994 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

252 

22.225.41.22 

3/5/2010  4:36 

GMT+0000 

"GET  /intelink.wip.  ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.  actions.  document.view&fDocumentld=130021  HTTP/1.1  200  273177 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

253 

22.225.41.22 

3/5/2010  4:36 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=130105  HTTP/1.1  200  265546 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

254 

22.225.41.22 

3/5/2010  4:36 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132936  HTTP/1.1"  200  223258 

“http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

255 

22.225.41.22 

3/5/2010  4:36 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld=132940  HTTP/1.1"  200  646055 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

256 

22.225.41.22 

3/5/2010  4:36 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view8ifDocumentld=132929  HTTP/1.1”  200  516450 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

257 

22.225.41.22 

3/5/2010  4:36 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=132935  HTTP/1.1"  200  691920 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

258 

22.225.41.22 

3/5/2010  4:36 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=144055  HTTP/1.1"  200  164312 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

259 

22.225.41.22 

3/5/2010  4:36 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld=144727  HTTP/1. 1”  200  586905 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

260 

22.225.41.22 

3/5/2010  4:36 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132941  HTTP/1.1  200  703513 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

261 

22.225.41.22 

3/5/2010  4:36 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view8ifDocumentld=132925  HTTP/1.1"  200  792959 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

262 

22.225.41.22 

3/5/2010  4:37 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=130159  HTTP/1. 1"  200  295457 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

263 

22.225.41.22 

3/5/2010  4:37 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document. view&fDocumentld=130107  HTTP/1.1  200  261709 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

264 

22.225.41.22 

3/5/2010  4:37 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document.view&fDocumentld=132927  HTTP/1.1  200  639800 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

Number 

IP 

Date/  Time 

Time  Zone 

Action 

265 

22.225.41.22 

3/5/2010  4:37 

GMT+0000 

"GET  /intelink.wip.ismc. sgov.gov/inteldocs/action.php?kt pathjnfo=k:tcore. actions. document. view&fDocumentld=l 30179  HTTP/1.1 ' 200  261950 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

266 

22.225.41.22 

3/5/2010  4:37 

GMT+0000 

“GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=144049  HTTP/1.1  200  219901 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

267 

22.225.41.22 

3/5/2010  4:37 

GMT+0000 

"GET  /intelink.wipJSmc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=:132930  HTTP/1.1  200  884208 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

268 

22.225.41.22 

3/5/2010  4:37 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view8ifDocumentld=144050  HTTP/1.1  200  129711 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

269 

22.225.41.22 

3/5/2010  4:37 

GMT+0000 

"GET  /intelink.wip.ismc.  sgov.gov/inteldocs/action.  php?kt path info=ktcore.  actions.  document.view&fDocumentld=132931  HTTP/1.1  200  295140 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

270 

22.225.41.22 

3/5/2010  4:37 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document.view&fDocumentld=130157  HTTP/1.1  200  346073 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

271 

22.225.41.22 

3/5/2010  4:37 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=129948  HTTP/1.1  200  285168 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

272 

22.225.41.22 

3/5/2010  4:37 

GMT+0000 

”GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132945  HTTP/1.1  200  665585 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

273 

22.225.41.22 

3/5/2010  4:37 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=130029  HTTP/1.1  200  315484 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

274 

22.225.41.22 

3/5/2010  4:38 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=132976  HTTP/1.1  200  361953 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

275 

22.225.41.22 

3/5/2010  4:38 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132978  HTTP/1.1"  200  360507 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

276 

22.225.41.22 

3/5/2010  4:38 

GMT+0000 

"GET  /intelinkwip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld= 144051  HTTP/1.1  200  2410402 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

277 

22.22S.41.22 

3/5/2010  4:43 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view8tfDocumentld=130432  HTTP/1.1"  200  160175 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

278 

22.225.41.22 

3/5/2010  4:46 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=128973  HTTP/1.1"  000  0 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

279 

22.225.41.22 

3/5/2010  4:46 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php7kt path info=ktcore.actions.document.view&fDocumentld=128973  HTTP/1.1  200  284077 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

280 

22.225.41.22 

3/5/2010  5:47 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view8ifDocumentld=128973  HTTP/1.1  200  9665 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

281 

22.225.41.22 

3/5/2010  5:47 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132970  HTTP/1.1"  000  0 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

282 

22.22S.41.22 

3/5/2010  5:47 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132970  HTTP/1.1  200  399967 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

283 

22.225.41.22 

3/5/2010  5:47 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentid=132970  HTTP/1.1  000  0 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

284 

22.225.41.22 

3/5/2010  5:47 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132970  HTTP/1.1  200  399967  ; 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

285 

22.225.41.22 

3/5/2010  5:47 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=130067  HTTP/1.1  000  0 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

286 

22.225.41.22 

3/5/2010  5:47 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view8ifDocumentld=130067  HTTP/1.1"  200  303303 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

287 

22.225.41.22 

3/5/2010  5:47 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132967  HTTP/1.1  000  0 

“http://www.intelink.siov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

288 

22.225.41.22 

3/5/2010  5:47 

GMT+0000 

"GET  /intelink.wip.ismc. sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document.view&fDocumentld=132967  HTTP/1.1  20045710 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

Number 

IP 

Date/  Time 

Time  Zone 

Action 

289 

22.225.41.22 

3/5/2010  5:47 

GMT+0000 

"GET  /intelink.wip.ismc. sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document.view8<fDocumentld=132957  HTTP/1.1"  000  0 

"http://www.intelink.SROv.Kov/wiki/JTF-GTMO  Detainee  Assessments" 

290 

22.225.41.22 

3/5/2010  5:47 

GMT+0000 

"GET /intelink.wip.  ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=132957  HTTP/1.1"  200  181408 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

291 

22.225.41.22 

3/5/2010  5:48 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=130156  HTTP/1.1”  000  0 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

292 

22.225.41.22 

3/5/2010  5:48 

GMT+0000 

"GET/intelink.wip.ismc.5gov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDoajmentld=130156  HTTP/1.1"  200  286730 

’'http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

293 

22.225.41.22 

3/5/2010  5:48 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document. view&fDocumentld= 132973  HTTP/1.1"  000  0 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

294 

22.225.41.22 

3/5/2010  5:48 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore. actions. document.view&fDocumentld=132973  HTTP/1. 1"  200  340124 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

295 

22.225.41.22 

3/5/2010  5:48 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path mfo=ktcore.actions.document.view&fDocumentld=144739  HTTP/1.1"  200  159677 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

296 

22.225.41.22 

3/5/2010  5:49 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=130086  HTTP/1.1"  200  264560 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

297 

22.225.41.22 

3/5/2010  5:49 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=130088  HTTP/1.1"  200  256305 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

298 

22.225.41.22 

3/5/2010  5:50 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=130187  HTTP/1.1"  200  264567 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

299 

22.225.41.22 

3/5/2010  5:50 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=129947  HTTP/1.1"  200  277345 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

300 

22.225.41.22 

3/5/2010  5:50 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132971  HTTP/1.1"  200  810443 

"http://www.intelink.SROv.gov/wiki/JTF-GTMO  Detainee  Assessments" 

301 

22.225.41.22 

3/5/2010  5:50 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132977  HTTP/1.1"  200  696077 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

302 

22.225.41.22 

3/5/2010  5:50 

GMT+0000 

"GET  /Intel ink. wip.ismc. sgov. gov/inteldocs/action.php?kt path info=ktcore. actions. document. view8ifDocumentld=1440S2  HTTP/1. 1”  200  130515 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments” 

303 

22.225.41.22 

3/5/2010  5:50 

GMT+0000 

”GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132969  HTTP/1. 1”  200  702774 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

304 

22.225.41.22 

3/5/2010  5:50 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document.view&fDocumentld=132954  HTTP/1.1"  200  789508 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

305 

22.225.41.22 

3/5/2010  5:50 

GMT+0000 

"GET  /intelink.wip. ismc. sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document.view8ifDocumentld=130054  HTTP/1.1"  200  312341 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

306 

22.225.41.22 

3/5/2010  5:50 

GMT+0000 

“GET /Intel ink. wip. ismc. sgov. gov/inteldocs/action. php?kt path info=ktcore. actions. document.view&fDocurnentld=132974  HTTP/1.1"  200  455735 

“http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

307 

22.225.41.22 

3/5/2010  5:51 

GMT+0000 

”GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132955  HTTP/1.1"  200  844597 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments” 

308 

22.225.41.22 

3/5/2010  5:51 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132966  HTTP/1. 1"  200  430264 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

309 

22.225.41.22 

3/5/2010  5:51 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld=132961  HTTP/1.1"  200  189688 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

310 

22.225.41.22 

3/5/2010  5:51 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132965  HTTP/1.1"  200  697668 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

311 

22.225.41.22 

3/5/2010  5:51 

GMT+0000 

“GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view8ifDocumentld=129951  HTTP/1. 1"  200  287204 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

312 

22.225.41.22 

3/5/2010  5:51 

GMT+0000 

”GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view8ifDocumentld=132968  HTTP/1.1"  200  4924410 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

Number 

IP 

Date/  Time 

Time  Zone 

„  ,, 

3/5/2010  5:51 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld=132960  HTTP/1.1  504  492 

''http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

314 

22.225.41.22 

3/5/2010  5:51 

GMT+0000 

“GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcare.actions.document.view&fDocumentld=132962  HTTP/1.1  504  492 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

315 

22.225.41.22 

3/5/2010  5:51 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=132963  HTTP/1.1  504  492 

"htto://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

316 

22.225.41.22 

3/5/2010  5:52 

GMT+0000 

"GET  /intelink. wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document. view&fDocumentld=132959  HTTP/1.1  504  492 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

317 

22.225.41.22 

3/5/2010  5:52 

GMT+0000 

"GET  /intelink.wip.ismc.sgov,gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132972  HTTP/1. 1’  200  130867 

"htto://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

318 

22.225.41.22 

3/5/2010  5:55 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=132975  HTTP/1.1  200  131501 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

319 

22.225.41.22 

3/5/2010  5:55 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDacumentld=132964  HTTP/1.1  200  389529 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

320 

22.225.41.22 

3/5/2010  5:55 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document  view&fDocumentld=132958  HTTP/1.1  200  384040 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

321 

22.225.41.22 

3/5/2010  5:55 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=132956  HTTP/1.1  200  1B0670 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

322 

22.225.41.22 

3/5/2010  5:56 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=133326  HTTP/1. 1"  200  129878 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

323 

22.225.41.22 

3/5/2010  5:57 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=133324  HTTP/1.1  200  138491 

"http://www.intermk.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

324 

22.225.41.22 

3/5/2010  5:57 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133332  HTTP/1.1  200  134786 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

325 

22.225.41.22 

3/5/2010  5:57 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133331  HTTP/1.1  200  135622 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

326 

22.225.41.22 

3/5/2010  5:57 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133333  HTTP/1.1"  200  275159 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

327 

22.225.41.22 

3/5/2010  5:57 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133322  HTTP/1.1  200  135501 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

328 

22.225.41.22 

3/5/2010  5:58 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view8ifDocumentld=133329  HTTP/1.1"  200658955 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

329 

22.225.41.22 

3/5/2010  5:58 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document.view&fDocumentld=133323  HTTP/1.1  200  103843 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

330 

22.225.41.22 

3/5/2010  5:59 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133327  HTTP/1.1  200942551 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

331 

22.225.41.22 

3/5/2010  5:59 

GMT+0000 

"GET /intelink. wip.ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=133328  HTTP/1.1"  200  133989 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

332 

22.225.41.22 

3/5/2010  5:59 

GMT+0000 

"GET  /intelink.wip.ismc. sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document. view&fDocumentld =133346  HTTP/1.1’  200  610201 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

333 

22.225.41.22 

3/5/2010  5:59 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=144054  HTTP/1.1  200  1288274 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

334 

22.225.41.22 

3/5/2010  5:59 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document.view&fDocumentld=133343  HTTP/1.1'  200  574932 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

335 

22.225.41.22 

3/5/2010  5:59 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133345  HTTP/1.1  200  135193 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

336 

22.225.41.22 

3/5/2010  5:59 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=144043  HTTP/1.1"  200  121592 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

■jp - 

Date/ Time - 

3/5/2010  5:59 

GMT+0000 

“GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=133342  HTTP/1.1  200  138078 

"htto://www. intelink.SEOv.gov/wiki/JTF-GTMO  Detainee  Assessments” 

3/5/2010  5:59 

GMT+0000 

“GET  /intermk.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133340  HTTP/1.1  200  202642 

22.225.41.22 

3/5/2010  5:59 

GMT+0000 

“GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view8ifDocumentld=144046  HTTP/1.1  200  204913 

340 

22.225.41.22 

3/5/2010  5:59 

GMT+0000 

"GET  /intelink.wip.  ismc.sgov.gov/inteldocs/action.  php?kt_path_info=ktcore.actions.document.view8ifDocumentld=133348  HTTP/1.1  200  281017 

3/5/20105:59 

GMT+0000 

“GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld=133349  HTTP/1.1  200  341365 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=133338  HTTP/1.1  200  4900366 

3/5/2010  6:00 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=133337  HTTP/1.1  504  492 

344 

3/5/2010  6:00 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document.view8ifDocumentld=133344  HTTP/1.1  504  492 

22.225.41.22 

3/5/2010  6:00 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld= 133341  HTTP/1.1  504  492 

346 

22.225.41.22 

3/5/2010  6:00 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document.viewgifDocumentld=133347  HTTP/1.1  504  492 

347 

22.225.41.22 

3/5/2010  6:01 

GMT+0000 

"GET  /intelink.  wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document.view8ifDocumentld=133325  HTTP/1.1  200  5067594 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

348 

22.225.41.22 

3/5/2010  6:04 

GMT+0000 

"GET  /intelink.  wip.ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld-133330  HTTP/1.1  5U4  492 

349 

22.225.41.22 

3/5/2010  6:04 

GMT+0000 

"GET  /i ntelink.wip.ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view8cfDocumentld=130038  HTTP/1.1  504  492 

"httD://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

22.225.41.22 

3/5/2010  6:04 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actionsdocument.view&fDocumentld=133621  HTTP/1.1  200  335024 

351 

22.225.41.22 

3/5/2010  6:04 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=130061  HTTP/1.1  504  492 

352 

22.225.41.22 

3/5/2010  6:05 

GMT+0000 

"GET  /intelink.  wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document. view&fDocumentld=130024  HTTP/1.1  504  492 

353 

22.225.41.22 

3/5/2010  6:07 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php7kt _path_info=ktcore.actions.document.view&fDocumentld=l 33620  HTTP/1.1  200  630634 

354 

22.225.41.22 

3/5/2010  6:08 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=130019  HTTP/1.1  200  257763 

"htto://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

355 

22.225.41.22 

3/5/2010  6:08 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=133624  HTTP/1.1  200  877836 

356 

22.225.41.22 

3/5/2010  6:08 

GMT+0000 

"GET  /intelink. wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document. view&fDocumentld=133622  HTTP/1.1  200  1926638 

357 

22.225.41.22 

3/5/2010  6:09 

GMT+0000 

"GET /intelink. wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld*133626  HTTP/1.1  200  267941 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

358 

22.225.41.22 

3/5/2010  6:09 

GMT+0000 

"GET  /intelink.  wip.ismc.sgov.gov/inteldocs/action.php?kt path info=kt  core. actions. document. view&fDocumentld=133627  HTTP/1.1  200  1559895 

359 

22.225.41.22 

3/5/2010  6:09 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=130147  HTTP/1.1  200  27/101 

"htto://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

360 

22.225.41.22 

3/5/2010  6:10 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document. view&fDocumentld=133625  HTTP/1.1  200  790865 

22.225.41.22 

3/5/2010  6:10 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view8ifDocumentld-133623  HTTP/1.1  200  138060 

362 

22.225.41.22 

3/5/2010  6:10 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=133619  HTTP/1.1  200  323509 
"htto://www. intelink.seov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

363 

22.225.41.22 

3/5/2010  6:11 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=130044  HTTP/1.1  200  266817 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

3/5/2010  6:11 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions. document. view8ifDocumentld=133649  HTTP/1.1  504  492 

"htto://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

365 

22.225.41.22 

3/5/2010  6:11 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view8ifDocumentld=133650  HTTP/1.1  200  4601288 

3/5/2010  6:12 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view8cfDocumentld-133651  HTTP/1.1  200  200695 

22.225.41.22 

3/5/2010  6:12 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathjnfo=ictcore.actions.document.view&fDocumentld=130011  HTTP/1.1  504  492 

368 

22.225.41.22 

3/5/2010  6:12 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=130089  HTTP/1.1  504  492 

369 

22.225.41.22 

3/5/2010  6:13 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=130116  HTTP/1.1  504  492 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

3/5/2010  6:15 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=130091  HTTP/1.1  200  243763 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

371 

22.225.41.22 

3/5/2010  6:16 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=130040  HTTP/1.1  200  248073 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

372 

22.225.41.22 

3/5/2010  6:16 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=130182  HTTP/1.1  200  296120 

373 

22.225.41.22 

3/5/2010  6:16 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view8ifDocumentld=133647  HTTP/1.1  200  419019 

"htto://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

374 

22.225.41.22 

3/5/2010  6:17 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=133648  HTTP/1.1  200  838372 

"htto://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

375 

22.225.41.22 

3/5/2010  6:17 

GMT+0000 

"GET  /intelink.wip.ismc. sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=133643  HTTP/1.1  200  974034 

376 

22.225.41.22 

3/5/2010  6:17 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view8ifDocumentld=133641  HTTP/1.1  200  238346 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

377 

22.225.41.22 

3/5/2010  6:17 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document. view8ifDocumentld=133638  HTTP/1.1  200  176693 

"httD://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

378 

22.225.41.22 

3/5/20106:17 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133640  HTTP/1.1  200  293445 

379 

22.225.41.22 

3/5/2010  6:17 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133636  HTTP/1.1  200  279081 

380 

22.225.41.22 

3/5/2010  6:17 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133635  HTTP/1.1  200  586526 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

381 

22.225.41.22 

3/5/2010  6:18 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133639  HTTP/1.1  200  693456 

382 

22.225.41.22 

3/5/2010  6:18 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld=133634  HTTP/1.1  200  342012 

"htto://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

383 

22.225.41.22 

3/5/2010  6:18 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=133642  HTTP/1.1  200  322106 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

384 

22.225.41.22 

3/5/2010  6:18 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=133633  HTTP/1.1  200  573041 

IP 

Time  2one 

3/5/2010  6:18 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/lnteldocs/action.php?kt_path_info=ktcore.actions.document.view8ifDocumentld=133637  HTTP/1.1  200  bb75l4 

22.225.41.22 

3/5/2010  6:18 

GMT+0000 

"GET /intelink.  wip.ismc.sgov.gov/inteldocs/action.php7kt_path  Jnfo=ktcore.actions.document.view&fDocumentld=133364  HTTP/1.1  200  269424 

387 

22.225.41.22 

3/5/2010  6:19 

GMT+0000 

“GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld-133353  HTTP/l.i  200  363641 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

388 

22.225.41.22 

3/5/2010  6:19 

GMT+0000 

“GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view8ifDoaimentld=130181  HTTP/1.1  200  253596 

389 

22.225.41.22 

3/5/2010  6:19 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133356  HTTP/1.1  200  295401 

3/5/2010  6:19 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document.view&fDocumentld=144063  Hi TP/l.l  2UU  b4»ua 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

22.225.41.22 

3/5/2010  6:19 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=133359  HTTP/l.l  2UU  luuayu 

22.225.41.22 

3/5/2010  6:19 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view81fDocumentld=1440bU  HI  TP/l.l  2UU  Hilly 

22.225.41.22 

3/5/2010  6:19 

GMT+0000 

“GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld=144059  HTTP/l.l  200  66368 

3/5/2010  6:19 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteld  ocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=13335S  HTTP/l.l  200  4561834 

395 

22.225.41.22 

3/5/2010  6:19 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=133357  HTTP/l.l  200  2b35527 

"httD://www. intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

396 

22.225.41.22 

3/5/2010  6:19 

GMT+0000 

"GET  /intelink.wip. ismc. sgov.gov/inteldocs/action. php?kt path mfo=ktcore. actions. document. view8dDocumentld=133362  HTTP/l.l  200  963567 

397 

22.225.41.22 

3/5/2010  6:19 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133361  HTTP/l.l  504  492 

398 

22.225.41.22 

3/5/2010  6:19 

GMT+0000 

"GET  /intelink. wip.ismc.5gov.gov/inteldocs/action.php?kt path info=ktcore. actions. document.view&fDocumentld=144064  HTTP/l.l  504  492 

399 

22.225.41.22 

3/5/2010  6:19 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=144058  HTTP/l.l  504  492 

400 

22.225.41.22 

3/5/2010  6:23 

GMT+0000 

"GET /intelink.wip.  ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=133363  HTTP/l.l  200  2/2422 

“http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

401 

22.225.41.22 

3/5/2010  6:23 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld=144061  HTTP/l.l  200  88425 

"http://www  intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

402 

22.225.41.22 

3/5/2010  6:23 

GMT+0000 

“GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld=144065  HTTP/l.l  200  94945 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

403 

22.225.41.22 

3/5/2010  6:23 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document.view&fDocumentld=133360  HTTP/l.l  200  1018147 

404 

22.225.41.22 

3/5/2010  6:24 

GMT+0000 

"GET /intelink. wip.ismc.sgov.gov/inteldocs/act  ion. php?kt path info=ktcore.actions.document.view&fDocumentld=144062  HTTP/l.l  200  61900 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

405 

22.225.41.22 

3/5/2010  6:25 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=133358  HTTP/l.l  200  277033 

406 

22.225.41.22 

3/5/2010  6:25 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld=133354  HTTP/l.l  200  2015022 

407 

22.225.41.22 

3/5/2010  6:25 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld=144066  HTTP/l.l  200  408352 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

408 

22.225.41.22 

3/5/2010  6:25 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document.view&fDocumentld=133378  HTTP/l.l  200  265437 

Time  Zone 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info’=ktcore.actions.document.view&fDocumentld=133368  HTTP/1.1  ZOO  Ib54u8b 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

3/5/2010  6:26 

GMT+OOOO 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld=133375  HTTP/1.1  200  553676 

3/5/2010  6:26 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document.view&fDocumentld=133372  HTTP/1.1  200  164715 

22.225.41.22 

3/5/2010  6:26 

GMT+0000 

“GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133373  HTTP/1.1  200  693602 

3/5/2010  6:26 

GMT+0000 

"GET /intellnk.wip.ismc.sgov.gov/inteldocs/artion.php?kt_path_info=ktcore.actions.document.view8tfDocumentld=133367  HTTP/1.1  200  153822 

3/5/2010  6:26 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document.view&fDocumentld=133374  HTTP/l.l  2tXJ  >83794 

GMT+0000 

"GET  /intelink.wip. ismc. sgov.gov/inteldocs/action. php?kt_pathJnfo=ktcore. actions. document. view&fDocumentld=130099  HTTP/l.l  200  306113 

3/5/2010  6:27 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.attions.document.view&fDocumentld-130018  HTTP/l.l  2UU  28bblb 

417 

3/5/2010  6:27 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=133376  HTTP/l.l  200  405625 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

22.225.41.22 

3/5/2010  6:27 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path lnfb=ktcore.actions.document.view&fDocumentld=133370  HTTP/l.l  200  847212 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

419 

22.225.41.22 

3/5/2010  6:27 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=133379  HTTP/l.l  20fl  39513/ 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

420 

22.225.41.22 

3/5/2010  6:27 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document. view&fDocumentld=133377  HTTP/l.l  200  641787 

421 

22.225.41.22 

3/5/2010  6:28 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld=133369  HTTP/l.l  200  800922 

422 

22.225.41.22 

3/5/2010  6:28 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view&fDocumentld-130135  HTTP/l.l  200  Zb9/U0 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

423 

22.225.41.22 

3/5/2010  6:28 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document. view&fDocumentld=130138  HTTP/l.l  200  288877 

424 

22.225.41.22 

3/5/2010  6:28 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld-133307  HTTP/l.l  200  29668S 

425 

22.225.41.22 

3/5/2010  6:28 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathjnfo=ktcore.actions.document.view8ifDocumentld-14473S  HTTP/l.l  200  69805 

426 

22.225.41.22 

3/5/2010  6:28 

GMT+OOOO 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133304  HTTP/l.l  200  226202 

427 

22.225.41.22 

3/5/2010  6:28 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=133296  HTTP/l.l  200  185355 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

428 

22.225.41.22 

3/5/2010  6:28 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.viewiitDocumentld-133319  H 1 1  P/l.l  2UU  235159 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

429 

22.225.41.22 

3/5/2010  6:28 

GMT+OOOO 

"GET  /intelink.  wip.ismc.sgov.gov/inteldocs/attion. php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=133301  HTTP/l.l  200  2b/22b 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

430 

22.225.41.22 

3/5/2010  6:28 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=133298  HTTP/l.l  200  3752372 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

431 

22.225.41.22 

3/5/2010  6:28 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathjnfo=ktcore. actions. document.view&fDocumentld=133320  HTTP/l.l  200  417194 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

432 

22.225.41.22 

3/5/2010  6:37 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document.  view&fDocumentld=133317  HTTP/l.l  000  0 

TjmeZone - 

- - - — 

3/5/2010  6.38 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld-133317  HTTP/1.1  200  243848 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld-133308  HTTP/1.1  000  0 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld-133308  HTTP/1.1  200  3404yu 

3/5/2010  6:38 

GMT+0000 

"GET  /i ntelink.wip.ismc.sgov.gov/inteldocs/act ion. php?kt_path_info=ktcore.actions.document.view&fDocumentld-133302  HTTP/1.1  000  0 

3/5/2010  6:38 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/aaion.php?kt path info=ktcore.attions.document.view&fDocumentld=133302  HTTP/1.1  200192969 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt pathJnfo=ktcore.actions.document.view&tDocumentid-i33299  m  1 1  P/i.l  000  0 

"httD://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

3/5/2010  6:38 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions  document. view&fDocumentld=133299  HTTP/1.1  20U  31064b 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld-133314  HTTP/1.1  000 0 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view8ifDocumentld-133314  HTTP/1.1  200  2394b5 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

3/5/2010  6:38 

GMT+0000 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view8ifDocumentld=130108  HTTP/1.1  0000 

443 

22.225.41.22 

3/5/2010  6:38 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld-130108  HTTP/1.1  200  301964 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

22.225.41.22 

3/5/2010  6:38 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info-ktcore.actions.document.view8tfDocumentld  133297  HTTP/1.1  000  0 
"httD://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

445 

22.225.41.22 

3/5/2010  6:38 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133297  HTTP/1.1  200  417321 

446 

22.225.41.22 

3/5/2010  6:38 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/aaion. php?kt_path_info=ktcore.actions.document.view&fDocumentld-133306  HTTP/1.1  000  0 

447 

22.225.41.22 

3/5/2010  6:38 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/aaion.php?kt_path_info=ktcore.aaions.document.view&fDocumentld-133306  HTTP/1.1  200  323924 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

448 

22.225.41.22 

3/5/2010  6:38 

GMT+0000 

"GET  /intelink.  wip.ismc.sgov.gov/inteldocs/action.php7kt_path  Jnfo=ktcore.attions.document.view&fDocumentld=144734  HTTP/1.1  000  0 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

449 

22.225.41.22 

3/5/2010  6:38 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/aaion.php?kt path info=ktcore.aaions.document.view&fDocumentld=144734  HTTP/1.1  200  69043 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

450 

22.225.41.22 

3/5/2010  6:38 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/aaion.php?kt pathJnfo=ktcore.aaions.document.view&fDocumentld=133305  HTTP/1.1  000  0 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

451 

22.225.41.22 

3/5/2010  6:38 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/aaion.php?kt pathJnfo=ktcore.aaions.document.view&fDocumentld-133305  HTTP/1.1  200  857159 

22.225.41.22 

3/5/2010  6:39 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/aaion.php?kt_path_info-ktcore.aaions.document.view&fDocumentld-133312  HTTP/1.1  200  309432 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

453 

22.225.41.22 

3/5/2010  6:39 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/aaion. php?kt path info=ktcore.aaions.document.view&fDocumentld=133309  HTTP/1.1  200  186278 

454 

22.225.41.22 

3/5/2010  6:39 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_pathJnfo=ktcore.actions.document.view&tDocumentid-i333i6  h  i  i  p/1.1  200  287716 

455 

22.225.41.22 

3/5/2010  6:40 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/aaion.php?kt_path_info=ktcore.aaions.document.view&fDocumentld-144739  HTTP/1.1  200  159677 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

456 

22.225.41.22 

3/5/2010  6:40 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/aaion.php?kt_pathjnfo=ktcore.aaions. document. view8ifDocumentld-133313  HTTP/1.1  200  486536 

- - 

22  225  41  22 

GMT+0000 

"GET  /intelink.wip. ismc. sgov.gov/inteldocs/action.php?kt path info-ktcore.actions.document.viewl4tuocumentio-i3UUB:>  hi  i k/i . i  zuu  z62626 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessment^ - . - 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld-133311  H 1 1  H/l.l  200 140329 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee  Assessments" _ _ — - 

""GET /Intelink.wip.csmc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.vjew&tDocumentld=i333U3  n  1 1  k/i.i  zuu  ziuzi^ 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document. view&fDocumentld=13331S  HTTP/1.1  200  247818 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee_Assessments'; - - - - : - - 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php7kt _path_info=ktcore.actions.document.view8>fDocumentld-133316  HTTP/1.1  200  943278 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" - - - 

"GET  /intelink.wip. ismc. sgov.gov/inteldocs/action. php?kt _path_info=ktcore.actions.document.view&fDocumentld-1333U0  H 1 1  P/i.i  200  526895 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments" _ _ _ _  _ _ _ 

GMT+0000 

"GET  /intelink.wip. ismc. sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document.view&fDocumentld=133401  HTTP/1.1  200  368949 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=133405  HTTP/1.1  200  669860 
"http7/www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments"  _ _ _ _ _ 

“GET  /intelink.wip. ismc. sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document. view8ifDocumentld=133399  HTTP/1.1  200  724593 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments"  

22.225.41.22 

3/5/2010  6:42 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld-13Ul4B  hi  i p/i.i  2uu  293uo7 

"http://www.intelink.sgoy.gov/wiki/JTF-GTMO_Detainee_Assessments: - - - - 

22  225.41.22 

3/5/2010  6:42 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_pathJnfo=ktcore.actions.document.view8ifDocumentld-130113  H 1 1  P/1.1  4UU  4yyy38 

22.225.41.22 

3/5/2010  6:42 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld-133403  H 1 1  H/l.l  200  244482 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments" - , — . . - 

22.225.41.22 

3/5/2010  6:42 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld- 130134  HTTP/l.i  2U0  3i0295 

22.225.41.22 

3/5/2010  6:42 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=133404  HTTP/1.1  200  414793 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" — 

472 

22.225.41.22 

3/5/2010  6:42 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133402  HTTP/1.1  200  798056 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" _ 

473 

22.225.41.22 

3/5/2010  6:42 

GMT+0000 

"GET  /intelink.wip, ismc.sgov.gov/inteldocs/action. php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld=133400  HTTP/1.1  200  652750 
“http://www.intelink.5gov.gov/wiki/JTF-GTMO  Detainee  Assessments" . 

22.225.41.22 

3/5/2010  6:42 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path mfo=ktcore.actions.document.view&fDocumentld-133398  HTTP/1.1  200  3880679 

475 

22.225.41.22 

3/5/2010  6:43 

GMT+0000 

"GET  /intelink. wip. ismc. sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions. document. view&fDocumentld=133384  HTTP/1.1  504  492 

"httn://www. intelink.SEQv.gov/wiki/JTF-GTMO  Detainee  .Assessments" . . . . 

476 

22.225.41.22 

3/5/2010  6:43 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view&fDocumentid-i33382  HTTP/1.1  200  2363035 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

477 

22.225.41.22 

3/5/2010  6:43 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view&fDocumentld-133385  HTTP/1.1  200  1353568 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments" - - 

478 

22.225.41.22 

3/5/2010  6:43 

GMT+0000 

"GET  /intelink.wip. ismc. sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document. view&fDocumentld=133381  HTTP/1.1  200  511654 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO.Detainee_Assessments: _ __  _ _ _ 

479 

22.225.41.22 

3/5/2010  6:43 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view&fDocumentld=144600  HTTP/1.1  200  58/13 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee Assessments" - -  — — — — — r— - 

480 

22.225.41.22 

3/5/2010  6:45 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore. actions. document. view&fDocumentld=133383  HTTP/1.1  200  575969 

"http://www.intelink.sgov.Eov/wiki/JTF-GTMO_Detainee  Assessments" _ _ _ _ _ 

Number 

Date/  Time 

Time  Zone 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld-130188  HTTP/1.1  200  3230/8 

'http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee  Assessments" . . . .  n, - 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view8ifDocumentld  144601  HTTP/1.1  504  492 

'http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments"  . . .  . —  - 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld  133397  HTTP/1.1  504  492 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee  Assessments"  - - - 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/actTon.php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld-133396  HTTP/1.1  200  4483405 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments: . . . .  . . . . „ . 

“GET  /intelink. wip.ismc.sgov.gov/inteldocs/action.php7kt_path_mfo-ktcore.actions.document.view8ifDocumentld-133394  HTTP/1.1  200  429689 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments^ , — -  .  .  — - 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld  133395  HTTP/1.1  504  92 

""GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view8ifDocumentld-144739  HTTP/1.1  200  159677 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detamee Assessment£ . . . . . — - 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld  133392  HTTP/1.1  200  433  a 

“http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee Assessments: . . . . . . . . 

"GET  /intelink.wip.  ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld=133391  HTTP/1.1  504  492 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments: - ___ - - - r . . =. - 

“GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view8ifDocumentld=133389  HTTP/1.1  504  492 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments: . . . .  . . . 

3/5/2010  6:51 

GMT+0000 

"GET /intelink.wip. ismc.sgov.gov/mteldocs/action. php?kt pathJnfo=ktcore.actions.document.viewsituocumentld-144bUZ  HI  IP/l.i  2UU  U34Uj 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments: _ _ _ _ _ _ 

3/5/2010  6:51 

GMT+000Q 

"GET  /intelink. wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document.view8ifDocumentld-133386  HTTP/1.1  20U  3242/1 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO Detainee  Assessments"  — — -  — — —  - 

22  225  41  22 

3/5/2010  6:52 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld  130164  HTTP/1.1  200  252549 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments" . . . . . . ; - 

3/5/2010  6:52 

GMT+0000 

"GET  /intelink.  wip.lsmc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld*144603  HTTP/1.1  200  5328870 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee Assessments" — —  —  — — — - 

3/5/2010  6:52 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view&fDocumentld-l3Ul23  HTTP/1.1  504  492 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO Detainee Assessments" - 

22  225.41.22 

3/5/2010  6:52 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path mfo=ktcore.actions.document.view&fDocumentld-133390  HTTP/1.1  504  492 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments: -  .  _ s _ _ _ 

22.225.41.22 

3/5/2010  6:52 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view&tDocumentia-i5Uiuo  n  i  <  P/1.1  504  492 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO Detainee Assessments" -  - -  - 

3/5/2010  6:55 

GMT+0000 

"GET  /intelink. wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld-133388  HTTP/1.1  200  3724575 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO Detainee Assessments"  niM-iurmin-imumm - 

3/5/2010  6:55 

GMT+0000 

"GET  /intelink. wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document. viewSifDocumentld-133387  HTTP/1.1  2U0  2584UU 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments: . . . . - 

22  225  41.22 

3/5/2010  6:56 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld-1334l2  HTI P/1.1  5U4  492 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments: - - - ■ — - ...— - 

3/5/2010  6:56 

GMT+0000 

“GET  /intelink, wip.ismc.sgov.gov/inteldocs/act ion. php?kt_path_info=ktcore.actions.document.view8ifDocumentld=144739  HTTP/1.1  200  159677 
''http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments: _ . — _ _ _ _ 

22.225.41.22 

3/5/2010  6:56 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view8ifDocumentld=133410  HTTP/1.1  504  492 
"httn://www. intelink.sgov.gov/wiki/JTF-GTMO  Detainee_Assessments" - - - .  _ _ - 

3/5/2010  6:57 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view&fDocumentld=133408  HTTP/1.1  504  492 

"httn://www. intelink.sgov.gov/wiki/JTF-GTMO  Detainee_Assessments" _ _ _ _ — .  _ _ - 

504 

22.225.41.22 

3/5/2010  6:57 

GMT+0000 

"G6T /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document.view&tDocumentld=l334U/  n  1 1  e/i.i  3u<t  *>3+ 

"http://www.intelink.sgov  gov/wiki/JTF-GTMO_Detainee_Assessments: _ _ _ 

[flumbgi — 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_pathJnfo=ktcore.actions.document.view&fDocumentld=1334ii  H 1 1  P/l.i  biw  49Z 

"httD://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

GMT+OOOO 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore.actions.document.view8ifDocumentld=133426  HTTP/l.l  200  108/oy 

"http://www.intelink.SKOv.ROv/wiki/JTF-GTMO  Detainee Assessments" 

GMT+OOOO 

"GET /intelink.wip. ismc.sgov.gov/inteldoes/action. php?kt path info=ktcore.actions.document.view&fDocumentld  12998/  HI  IP/l.l  2UU  2bt>834 

"GET  /intelink.wip.ismc.s"gov.gov/inteldocs/action.php?kt_path_info=ktcore. actions. document. view&fDocumentld=130014  HTTP/1.1  200  305338 

GMT+OOOO 

"GET  /intelink.wip. ismc. sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document.view&fDocumentld-129999  H 1 1 P/l.l  200  295075 
"http://www.mtelink.sgov.gov/wiki/JTF-GTMO  Detainee Assessments" 

GMT+OOOO 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt path info=ktcore. actions. document.view8ifDocunnentld=130048  HTTP/l.l  200  284779 

GMT+OOOO 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view&fDocumentld=130063  HTTP/l.l  200  255790 
“http://www.intelink.SROv.KOv/wiki/JTF-GTMO  Detainee  Assessments" 

3/5/2010  7:02 

GMT+OOOO 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt path info=ktcore.actions.document.view&fDocumentld-133435  Hnp/1.1  2uu  286845 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

GMT+OOOO 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document.view8ifDocumentld=133431  HTTP/l.l  200  278930 
"http://www.intelink.sROv.Rov/wiki/JTF-GTMO  Detainee  Assessments" 

3/5/2010  7:02 

GMT+OOOO 

"GET /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore. actions. document.view8ifDocumentld=130176  HTTP/l.l  200  260843 

"http://www.intelink.SROv.Rov/wiki/JTF-GTMO  Detainee  Assessments" 

515 

22.225.41.22 

3/5/2010  7:03 

GMT+OOOO 

"GET /intelink.wip. ismc.sgov.gov/mteldocs/action. php?kt path info=ktcore.actions.document.viewfitDocumentid  1334/3  h  1 1  p/1.1  2UU  4tMb41 

”htto://www.intelink.SKOV.gov/wiki/JTF-GTMO  Detainee  Assessments" 

516 

22.225.41.22 

3/5/2010  7:03 

GMT+OOOO 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view8ifDocumentld=133424  HTTP/l.l  200152255 

"http://www.intelink.SROv.RQv/wiki/JTF-GTMO  Detainee  Assessments" 

517 

22.225.41.22 

3/5/2010  7:03 

GMT+OOOO 

"GET/intGlink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&tDocumentid  I3i4^b  mi  ih/i.i  200  126398 

518 

22.225.41.22 

3/5/2010  7:04 

GMT+OOOO 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_path_info=ktcore.actions.document.view8ifDocumentld=133432  HTTP/l.l  200  9/185 

519 

22.225.41.22 

3/5/2010  7:04 

GMT+OOOO 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action. php?kt_path_info=ktcore.actions.document.view&fDocumentld-130l9l  M 1 1  p/1.1  2uu  236908 

520 

22.225.41.22 

3/5/2010  7:04 

GMT+OOOO 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt _path_info-ktcore.actions.document.viewSiTUocumentia-J33433  hi  ip/ia  200 364969 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments"  _ _ _ 

521 

22.225.41.22 

3/5/2010  7:04 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt_pathJnfo=ktcore.actions.document.view8ifDocumentld-133434  HTTP/l.l  2U0  215BU8 

"http://www.intelink.SROv.Rov/wiki/JTF-GTMO  Detainee  Assessments" 

522 

22.225.41.22 

3/5/2010  7:04 

GMT+OOOO 

"GET  /intelink.  wip.lsmc.sgov.gov/inteldocs/action.php  ?kt_path_info=ktcore.actions.document.view&fDocumentld-130043  HTTP/l.l  200263541 
”httn://www. intelink.seov.gov/wiki/JTF-GTMO  Detainee  Assessments" _ _ _ . _ _ _ _ _■  ; - 

523 

22.225.41.22 

3/5/2010  7:04 

GMT+OOOO 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt _path_info=ktcore.actions.document.view&fDocumentld-133429  HTTP/l.l  200  359012 
"http://www.intelink.sgov.gov/wiki/JTF-GTMO_Detainee_Assessments" - —  — - 

524 

22  225.41.22 

3/5/2010  7:04 

GMT+OOOO 

"GET  /intelink.wip  jsmc.sgov.gov/inteldocs/action. php?kt_pathJnfo=ktcore.actions.documentA/iew&tDocumentld-l3U0b5  h  1  FP/1.1  200  233328 

525 

22.225.41.22 
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s.document.view&fDocumentld=129955  HTTP/1.1"  200  278354  "Wget/1.11.4" 

749 

22.225.41.22 

3/7/2010  6:54 

GMT+OOOO 

"GET  /intelink.wip.ism 

sgov.gov/inteldocs/action.php7kt  path  info=ktcore.action 

iS.document.view&fDocumentld=129972  HTTP/1.1"  200  322987 "Wget/1.11.4" 

750 

22.225.41.22 

3/7/2010  6:54 

GMT+0000 

"GET  /intelink.wip.ism 

.sgov.gov/inteldocs/action.php7kt path  info=ktcore.action 

is.document.view&fDocumentld=144723  HTTP/1.1"  200  254449  "Wget/1.11.4" 

751 

22.225.41.22 

3/7/2010  6:54 

GMT+OOOO 

"GET  /intelink.wip.ism 

.sROv.ROv/inteldocs/action.php?kt  path  info=ktcore. actions. document.view&fDocumentld=129966  HTTP/1. 1"  200  307213  "Wget/1.11.4" 

752 

22  225.41.22 

3/7/2010  6:54 

GMT+OOOO 

.sgov.gov/inteldocs/action.php7kt  path  info=ktcore.action 

is. document. view&fDocumentld=129963  HTTP/1.1"  200  270336  "Wget/1.11.4" 

753 

22.225.41.22 

3/7/2010  6:55 

GMT+OOOO 

"GET  /intelink.wip.ism 

.sgov.gov/inteldocs/action.php7kt  path  info=ktcore. action 

is.document.view&fDocumentld=129962  HTTP/1.1"  200  263645  "Wget/1.11.4" 

754 

22.225.41.22 

3/7/2010  6:55 

GMT+OOOO 

.sgov.gov/inteldocs/action.php7kt  path  info=ktcore. action 

is. document. view&fDocumentld=129967  HTTP/1.1"  200  296212  "Wget/1.11.4" 

755 

22.225.41.22 

3/7/2010  6:55 

GMT+OOOO 

.sgov.gov/inteldocs/action.php7kt  path  info=ktcore. action 

is.document.view8ifDocumentld=129974  HTTP/1.1"  200  256760 "Wget/1.11.4" 

756 

22.225.41.22 

3/7/2010  6:55 

GMT+OOOO 

sgov.gov/inteldocs/action.php7kt  path  info=ktcore. actions. document.view&fDocumentld=129957  HTTP/1.1"  200  295266  "-"  "Wget/1.11.4" 

757 

22.225.41.22 

3/7/2010  6:55 

GMT+OOOO 

-.sgov.gov/inteldocs/action.php7kt  path  info=ktcore.actions.document.view8ifDocumentld=144725  HTTP/1.1"  200  156884  "Wget/1.11.4" 

758 

22.225.41.22 

3/7/2010  6:55 

GMT+OOOO 

"GET  /intelink.wip.ism! 

:.sgov.gov/inteldocs/action.php?kt  path  info=ktcore.actions.document  view&fDocumentld=144712  HTTP/1. 1”  200  502306 "Wget/1.11.4" 

759 

22.225.41.22 

3/7/2010  6:55 

GMT+OOOO 

"GET /intelink.wip.ism! 

-  sgov.gov/inteldocs/action.php7kt  path  info=ktcore.actians.document.view&fDocumentld=144709  HTTP/1.1"  200633040  "Wget/1.11.4" 

760 

22.225.41.22 

3/7/2010  6:55 

GMT+OOOO 

"GET  /intelink.wip.ism! 

SROv.gov/inteldocs/action. php?kt  path  info=ktcore. actions. document.view&fDocumentld=144710  HTTP/1. 1”  200  1011613  "Wget/1.11.4" 

761 

22.225.41.22 

3/7/2010  6:56 

GMT+OOOO 

"GET  /intelink.wip.ism! 

:.sgov.gov/inteldocs/action.php?kt  path  info=ktcore.action 

is. document. view&fDocumentld=144713  HTTP/1.1"  200  592282  "Wget/1.11.4" 

762 

22.225.41.22 

3/7/2010  6:56 

GMT+OOOO 

"GET /intelink.wip.ism! 

-  sgov  gov/inteldocs/action.php?kt  path  info=ktcore.actions.document.view&fDocumentld=144716  HTTP/1.1"  200  1233497  "Wget/1.11.4" 

763 

22.225.41.22 

3/7/2010  6:56 

GMT+OOOO 

-.sgov.eov/inteldocs/action.php?kt  path  info=ktcore.actions.document.view&fDocumentld=129968  HTTP/1.1"  200  265915  "Wget/1.11.4" 

764 

22.225.41.22 

3/7/2010  6:56 

GMT+OOOO 

:.sgov.gov/inteldocs/action.php?kt  path  info=ktcore.aaior 

is. document. view&fDocumentld=129964  HTTP/1.1"  200  322541 "Wget/1.11.4"  "-" 

765 

22.22S.41.22 

3/7/2010  6:57 

GMT+OOOO 

"GET /intelink.wip.ism! 

:.sgov.gov/inteldocs/action.php?kt  path  info=ktcore.actior 

is. document. view8ifDocumentld=144714  HTTP/1.1"  200  812714  “Wget/1.11.4" "-" 

766 

22.225.41.22 

3/7/2010  6:57 

GMT+OOOO 

"GET /intelink.wip.ism! 

:. sgov.gov/inteldocs/action.php7kt  path  info=ktcore.actior 

is.document.view&fDocumentld=129970  HTTP/1.1"  200  2S3939  "Wget/1.11.4" 

767 

22.225.41.22 

3/7/2010  6:57 

GMT+OOOO 

:.sgov.gov/inteldocs/action.php?kt  path  info=ktcore.actior 

is. document. view&fDocumentld=129969  HTTP/1.1"  200  266138  "Wget/1.11.4" 

768 

22.225.41.22 

3/7/2010  6:57 

GMT+OOOO 

:.sgov.gov/inteldocs/action.php?kt  path  info=ktcore.actior 

is. document. view&fDocumentld=129973  HTTP/1.1"  200  268028  "Wget/1.11.4" 

769 

22.225.41.22 

3/7/2010  6:57 

GMT+OOOO 

:  sgov.gov/inteldocs/action.php7kt  path  info=ktcore.actions.document.view&fDocumentld=129959  HTTP/1.1"  200  302968 "Wget/1.11.4" 

770 

22.225.41.22 

3/7/2010  6:57 

GMT+OOOO 

"GET  /intelink.wip.ism! 

:  sgov.gov/inteldocs/action.php7kt  path  info=ktcore.actions.document.viewgifDocumentld=129958  HTTP/1.1"  200  278356  "Wget/1.11.4" 

771 

22.225.41.22 

3/7/2010  6:57 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt  path  info=ktcore.actions.document.view&fDocumentld=144711  HTTP/1.1"  200  1215762  "Wget/1.11.4" 

772 

22.225.41.22 

3/7/2010  6:57 

GMT+OOOO 

"GET/intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt  path  info=ktcore.actions.document.view&fDocumentld=144715  HTTP/1.1"  200  667063  "Wget/1.11.4" 

773 

22.225.41.22 

3/7/2010  6:58 

GMT+OOOO 

"GET  /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt  path  info=ktcore. actions. document.view&fDocumentld=144708  HTTP/1.1"  200  211954  "Wget/1.11.4" 

774 

22.225.41.22 

3/7/2010  7:04 

GMT+OOOO 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php7kt  path  info=kt core. actions. document  view&fDocumentld=144034  HTTP/1.1"  200  63384  "Wget/1.11.4" 

775 

22.225.41.22 

3/7/2010  7:05 

GMT+OOOO 

"GET  /intelink. wip.ismc.sgov.gov/inteldocs/action.php7kt  path  info=ktcore.actions.document.view8.fDoajmentld=1300069  HTTP/1.1"  200  92412  "Wget/1.11.4" 

776 

22.225.41.22 

3/7/2010  7:06 

GMT+OOOO 

"GET  /intelink  wip  ismc.sgov.gov/inteldocs/action.php7kt  path  info=ktcore.actions.document.view&fDocumentld=130069  HTTP/1. 1"  200  251131 "Wget/1.11.4" 

777 

22.225.41.22 

3/7/2010  21:54 

GMT+OOOO 

"GET /intelink.wip.ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=144739  HTTP/1.1 ' 200  159735 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

778 

22.225.41.22 

3/7/2010  21:54 

GMT+OOOO 

"GET  /intelink.wip. ismc.sgov.gov/inteldocs/action.php?kt pathJnfo=ktcore.actions.document.view&fDocumentld=133640  HTTP/1.1  200  209527 

"http://www.intelink.sgov.gov/wiki/JTF-GTMO  Detainee  Assessments" 

Line  Number  Source  IP  Date  Time _ TimeZone  Action 


1 

22.225.41.40 

29  Dec  09  19:37:14 

+0000 

"GET  /intelink.wip.ismc.sgov.gov/search/default.aspx?queryid=b4e06296-daf3- 
4042-8e8c- 

f83778b66ab7&qsrc=augoogle&seqNum=l&display=cached&q=cache:S4or9qtsT 
7YJ:http://acic.north-inscom.  army.smil.mil/Products/ASR/RB08- 
0617.asp+wikileaks  HTTP/1.1"  200  32229 

"http://www. intelink.sgov.gov/search/default. aspx?q=wikileaks" 

2 

22.225.41.40 

14  Feb  10  23:31:37 

+0000 

"GET  /intelink.wip.ismc.sgov.gov/search/LinkThrough.aspx?id=542fflaa-2924- 

496e-8844- 

bced31826c62&qsrc=augoogle&seqNum=4&linkURL=http://acic.north- 
inscom.army.smil.mil/Products/ASR/RB08-0617.doc  HTTP/1.1"  302  917 
"http://www.intelink.sgov.gov/search/default.aspx7ta  rgetPage=%252Fsearch%2 
52Fdefault.aspx&q=wikileaks&btnSearch=Search" 

3 

22.225.41.40 

01  Mar  10  23:41:01 

+0000 

"GET  /intelink.  wip.ismc.sgov.gov/search/LinkThrough. aspx?id=el39d50e-5304- 
41f9-aa9f-a79c01a0de8c&qsrc=augoogle&seqNum=l&linkURL=http://acic. north 
inscom.army.smil.mil/Products/ASR/RB08-0617.asp  HTTP/l.l"  302  917 
"http://www.intelink.sgov.gov/search/default.aspx?q=wikileaks" 

4 

22.225.41.40 

01  Mar  10  23:42:33 

+0000 

"GET  /intelink.wip.ismc.sgov.gov/search/LinkThrough.aspx?id=el39d50e-5304- 
41f9-aa9f-a79c01a0de8c&qsrc=augoogle&seqNum=2&linkURL=http://acic.north 
inscom.army.smil.mil/Products/ASR/RB08-0617.doc  HTTP/l.l"  302  917 
"http://www.intelink.sgov.gov/search/default.aspx?q=wikileaks" 

1 

22.225.41.40 

2/14/2010  23:24 

GMT+0000 

"GET  /intelink.wip. ismc.sgov. gov/search/default. aspx?targetPage=%2Fsearch%2Fdefault.aspx&q=wikileaks  HTTP/1.1"  200 
11269 

"http://www.intelink.sgov.gov/search/default.aspx?targetPage=%252Fsearch%252Fdefault.aspx&q=%2522army+network 

+warfare%2522+battalion" 

2 

22.225.41.40 

2/14/2010  23:24 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/search/default.aspx?queryid=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&entqr=0&targetPage=%2Fsearch%2Fdefault.aspx&open_new=0&q=wikileaks&num=10&b 
tnSearch=Search&gid=09e4fa80-dd82-102c-93b5-005056b340dc&sort=date:D:S:dl  HTTP/l.l"  200  12197 
Mhttp://www.intelink.sgov.gov/search/default.aspx?targetPage=%252Fsearch%252Fdefault.aspx&q=wikileaks&btnSearch= 
Search" 

3 

22.225.41.40 

2/14/2010  23:24 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/WebResource.axd?d=8rr-NxeSaaUNIC8cb5EtLw2&t=633697889942384210  HTTP/l.l" 

200  4735  "http://www. intelink.sgov. gov/search/default. aspx?queryid=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&entqr=0&targetPage=%252Fsearch%252Fdefault.aspx&open_new=0&q=wikileaks&num= 

10&btnSearch=Search&gid=09e4fa80-dd82-102c-93b5-005056b340dc&sort=date:D:S:dl" 

4 

22.225.41.40 

2/14/2010  23:24 

GMT+0000 

"GET  /intelink.wip.  ismc.sgov. gov/WebResource.axd?d=l  _£y0lp3hlMsymgECeQEGVspHLhFPAh3Z3aQxX- 
DUKPF0FsAeHim_H6ffcfv-DBrgs2ilGhaexeGdn6ZcQSOHggFu0amPzWw-UQvlXZm7Cwl&t=633830689800000000 

HTTP/l.l"  200  69988  "http://www.intelink.sgov.gov/search/default.aspx?queryid=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&entqr=0&targetPage=%252Fsearch%252Fdefault.aspx&open_new=0&q=wikileaks&num= 

10&btnSearch=Search&gid=09e4fa80-dd82-102c-93b5-005056b340dc&sort=date:D:S:dl" 

5 

22.225.41.40 

2/14/2010  23:24 

GMT+0000 

"GET /intelink.wip.ismc.sgov.gov/WebResource.axd?d=az7kDRRcqCltV13zGP21nQ2&t=633697889942384210  HTTP/l.l" 
200  6587  "http://www.intelink.sgov.gov/search/default.aspx?queryid=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&entqr=0&targetPage=%252Fsearch%252Fdefault.aspx&open_new=0&q=wikileaks&num= 

10&btnSearch=Search&gid=09e4fa80-dd82-102c-93b5-005056b340dc&sort=date:D:S:dl" 

6 

22.225.41.40 

2/14/2010  23:24 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/WebResource.axd?d=l  _gy0lp3hlMsymgECeQEGVspHLhFPAh3Z3aQxX- 
DUKPF0FsAeHim_H6ffcfv-DBrgs2ilGhaexeGdn6ZcQSOHrrECUN-JrTlo9cqZ7hFOysl&t=633830689800000000  HTTP/l.l"  200 
3769  "http://www.intelink.sgov. gov/search/default.aspx?queryid=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&entqr=0&targetPage=%252Fsearch%252Fdefault.aspx&open_new=0&q=wikileaks&num= 

10&btnSearch=Search&gid=09e4fa80-dd82-102c-93b5-005056b340dc&sort=date:D:S:dl" 

7 

22.225.41.40 

2/14/2010  23:24 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/images/powerpoint.png  HTTP/l.l"  200  642 
"http://www.intelink.sgov.gov/search/default.aspx?queryid=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&entqr=0&targetPage=%252Fsearch%252Fdefault.aspx&open_new=0&q=wikileaks&num= 

10&btnSearch=Search&gid=09e4fa80-dd82T02c-93b5-005056b340dc&sort=date:D:S:dl" 
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8 

22.225.41.40 

2/14/2010  23:24 

GMT+0000 

"GET 

/intelink.wip. ismc.sgov.gov/WebResource. axd?d=f7qxzmSJySUWySVloDIUMBtogMBBSI4SE5NjywTfFHkl&t=63369788994 
2384210  HTTP/1.1"  200  563  "http://www.intelink.sgov.gov/search/default.aspx?queryid=542fflaa-2924-496e-8844- 
bced31826c62&qsrc=augoogle&entqr=0&targetPage=%252Fsearch%252Fdefault.aspx&open_new=0&q=wikileaks&num= 
10&btnSearch=Search&gid=09e4fa80-dd82-102c-93b5-005056b340dc&sort=date:D:S:dl" 

9 

22.225.41.40 

2/14/2010  23:24 

GMT+0000 

"GET  /intelink.wip. ismc.sgov.gov/images/excel.png  HTTP/1.1"  200  1235 
"http://www.intelink.sgov.gov/search/default.  aspx?queryid=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&entqr=0&targetPage=%252Fsearch%252Fdefault.aspx&open_new=0&q=wikileaks&num= 

10&btnSearch=Search&gid=09e4fa80-dd82-102c-93b5-005056b340dc&sort=date:D:S:dl" 

10 

22.225.41.40 

2/14/2010  23:24 

GMT+0000 

"GET 

/intelink.wip. ismc.sgov.gov/WebResource. axd?d=KzTgTUXRKeBAR7YMNKi8OA0Jc2eqE8igl72uC9rJzkl&t=6336978899423 
84210  HTTP/1.1"  200  569  "http://www.intelink.sgov.gov/search/default.aspx?queryid=542fflaa-2924-496e-8844- 
bced31826c62&qsrc=augoogle&entqr=0&targetPage=%252Fsearch%252Fdefault.aspx&open_new=0&q=wikileaks&num= 
10&btnSearch=Search&gid=09e4fa80-dd82-102c-93b5-005056b340dc&sort=date:D:S:dl" 

11 

22.225.41.40 

2/14/2010  23:24 

GMT+0000 

"GET 

/intelink.wip.  ismc.sgov.gov/WebResource.axd?d=5qHWdnmWCMykq74pUOgbDQJYI6XE2tcAUVtdz47geRMl&t=63369788 
9942384210  HTTP/1.1"  200  495  "http://www.intelink.sgov.gov/search/default.aspx?queryid=542fflaa-2924-496e-8844- 
bced31826c62&qsrc=augoogle&entqr=0&targetPage=%252Fsearch%252Fdefault.aspx&open_new=0&q=wikileaks&num= 
10&btnSearch=Search&gid=09e4fa80-dd82-102c-93b5-005056b340dc&sort=date:D:5:dl" 

12 

22.225.41.40 

2/14/2010  23:24 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/search/default.aspx?queryid=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&seqNum=l&display=cached&q=cache:5Et2eSLgzdYJ:https://portal. mfe.usmc.smil.mil/g2/ 
Documents/CCC%2520Here%2520Be%2520Dragons%2520Trip%2520Report.doc+wikileaks  HTTP/1.1"  200  9924 
"http://www.intelink.sgov. gov/search/default. aspx?queryid=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&entqr=0&targetPage=%252Fsearch%252Fdefault.aspx&open_new=0&q=wikileaks&num= 

10&btnSearch=Search&gid=09e4fa80-dd82-102c-93b5-005056b340dc&sort=date:D:S:dl" 

13 

22.225.41.40 

2/14/2010  23:25 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/search/default.aspx?queryid=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&seqNum=6&display=cached&q=cache:0ryEhFSfiQMJ:http://10mtnportal.main.l0mtn.arm 
y.smil.mil/coordstaff/DAMO/Lists/Help%2520Desk%2520Tickets/DispForm.aspx%3FID%3D4284+wikileaks  HTTP/1.1"  200 
14078 

"http://www.intelink.sgov.gov/search/default.aspx?targetPage=%252Fsearch%252Fdefault.aspx&q=wikileaks8ibtnSearch= 

Search" 

14 

22.225.41.40 

2/14/2010  23:31 

GMT+0000 

"GET  /intelink.wip.ismc. sgov.gov/search/LinkThrough. aspx?id=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&seqNum=l&linkURL=http://www.intelink.sgov.gov/blogs/jlokka/2008/05/31/evils-of- 
wikileaksorg/  HTTP/1.1"  302  937 

"http://www.intelink.sgov.gov/search/default.aspx?targetPage=%252Fsearch%252Fdefault.aspx&q=wikileaks&btnSearch= 

Search" 

15 

22.225.41.40 

2/14/2010  23:31 

GMT+0000 

"GET  /intelink.wip.ismc. sgov.gov/search/LinkThrough.aspx?id=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&seqNum=4&linkURL=http://acic.north-inscom.  army.smil.mil/Products/ASR/RB08- 
0617.doc  HTTP/1.1"  302  917 

"http://www.intelink.sgov.gov/search/default.aspx?targetPage=%252Fsearch%252Fdefault.aspx&q=wikileaks&btnSearch= 

Search" 

16 

22.225.41.40 

2/14/2010  23:31 

GMT+0000 

"GET  /intelink.wip.ismc. sgov.gov/search/LinkThrough. aspx?id=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&seqNum=l&linkURL=https://portal.  mfe.usmc.smil.mil/g2/Documents/CCC%2520Here%25 
20Be%2520Dragons%2520Trip%2520Report.doc  HTTP/1.1"  000  0 

"http://www.intelink.sgov.gov/search/default.aspx?queryid=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&entqr=0&targetPage=%252Fsearch%252Fdefault.aspx&open_new=0&q=wikileaks&num= 

10&btnSearch=Search&gid=09e4fa80-dd82-102c-93b5-005056b340dc&sort=date:D:S:dl" 

17 

22.225.41.40 

2/14/2010  23:32 

GMT+0000 

"GET  /intelink.wip.ismc.sgov.gov/search/LinkThrough.aspx?id=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&seqNum=l&linkURL=https://portal. mfe.usmc.smil.mil/g2/Documents/CCC%2520Here%25 

20Be%2520Dragons%2520Trip%2520Report.doc  HTTP/1.1"  302  969 

"http://www.  intelink.sgov.gov/search/default. aspx?queryid=542fflaa-2924-496e-8844- 

bced31826c62&qsrc=augoogle&entqr=0&targetPage=%252Fsearch%252Fdefault.aspx&open_new=0&q=wikileaks&num= 

10&btnSearch=Search&gid=09e4fa80-dd82-102c-93b5-005056b340dc&sort=date:D:S:dl" 

18 

22.225.41.40 

2/14/2010  23:32 

GMT+0000 
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(U)  DECLARATION 


(U)  I,  LIEUTENANT  COLONEL  MARTIN  C.  NEHRING,  declare  and  slate:  1  am  the  subject  matter  expert  for  the 
Directorate  of  Operations  (J3)  for  classifications  reviews.  In  this  capacity,  I  reviewed  documents  pertaining  to 
United  States  v.  Private  First  Class  Bradley  Manning,  which  the  Manning  trial  team  provided  to  USCENTCOM. 

My  recommendations  to  the  Original  Classification  Authority  (OCA)  in  regard  to  the  proper  classification  of  these 
documents  are  contained  on  the  attached  list  (containing  a  total  of  seven  pages)  and  are  hereby  incorporated  into  this 
declaration. 

(U)  Pursuant  to  2f!  L'.S.C.  §1746, 1  declare  under  penalty  of  peijury  that  the  information  provided  herein  is  true  and 
correct  to  the  best  of  my  knowledge. 


Dated:  October  20 1 


MARTIN  C.  NEHRING  ' 
Lieutenant  Colonel,  U.S.  Air  Force 
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a  ONE  AFGHANISTAN  EVENTS 

Identified  Document 

formation  Revealing  (Rer  OCR 
380-14) 

Clasaiftcatlon 

Bests  for  Original 
Classification  1 

Basis  foe  Current  Classification 

053C4989-9747-41cD-94L5-4BC2F788FEAD 
3/2/2008  3:37 

Operational  activities 

S/REl 

EO  129  SB  (c) 

CCR  380  14(0110)  1.4(c),  A- 
2348 

2S3C4ES0-E469-4B8O-9FOE-KA42E7E 12A7 
12/4/2007 

operational  /  foreign  government 

5 

EO  12958  (a)(b)  i 

EO  13292. 1.4(b).  CCR  380-14 
(0110)  1.4(a):  A-23H11 

2S62B1FF-E285-4699'9EE1-BFC8SS85E186 

7/2/2007 

Page  6 

operational  /  foreign  government 
activities 

S/REl 

EO  12958  (a)(b) 

EO  13292, 1.4(b).  CCR  38(714 
(0110)  1.4(a):  A-23M1 

29556796-01B2-46F0-B6  57-264 11341FF42 
2/9/2007 

Page  8 

operational  /  foreign  government 

S 

EO  12958  (a)lb) 

EO  13292. 1  4(b),  CCR  380-14 
(0110)  1.4(a):  A-23811 

2A5CA12C-9579-4DA8-8E  E2-33343BFE93CB 
2/17/2007 

operational  /  foreign  government 

s 

EO  12958  (<)tb) 

EO  13292, 1.4(b).  CCR  380-14 
(0110)  1.4(a):  A-23R11 

36261792-F927-S439-D5 10126830518230 
6/30/2009 

Page  15 

operational  activities 

$ 

CCR  380-14(0139). 

A23,  A-24;  EO 
13292,  1.4  (a)  J 

CCR  380-14  (0110)  1.4(a):  A- 
2246.A23411 

4A8B0499-EB944F08-9O47  6E6E0CF81F4C 
3/4/2007 

Page  21 

operational  /  foreign  government 
activities 

s 

EO  12958  (a)(0) 

EO  13292, 1.4(b),  CCR  380  14 
(0110)  1.4(a):  A-23411 

4FD836OB-2053-4E9O-8696-7E48O32S2D7C 

3/23/2007 

Page  23 

operational  activities 

s 

EO  12958  (a) 

CCR  380-14  (0110)  1.4(a):  A- 
22*6,  A23#U 

S13BD1S6-C13F-4F06  99AF-8A1A5CIA5F64 
8/15/2007 

Page  25 

operational  activities 

5 

EO  12958  (a) 

CCR  380-14(0110)  1.4(a):  A- 
2247,A23#U 

S92S53 1E-C90B-3E0E-9C 123B78  7F29A3A9 
11/26/2009 

Page  26 

operational  /  foreign  government 

s 

CCR  380-14  (0105  , 

A-24;  EO  13292. 
14(a) 

EO  13292,  1.4(b),  CCR  380-14 
(0110)  1.4(a):  A-23B11 

765D9B14-75S8-47B2  B4RF-84A5F4911B41 
2/10/2007 

Page  29 

operational  /  foreign  government 

s 

EO  12958  (a)(b) 

EO  13292.  1.4(b).  CCR  380-14 
(OtlO)  1.4(a):  A-23irll 

8E99025D- 1 372-51CO-59D10=3792D4DP9F; 
9/6/2009 

Page  31 

operational  activities 

s 

CCR  380-14  (01C«  , 

A23,  A-24.  EO 
13292. 1.4  (a) 

CCR  380-14  (0110)  1.4(a):A- 
2247,  A-23411 

BA6701C4-2610-4')34-8t  1C-F194147D2260 
2/12/2007 

Page  33 

operational  /  foreign  government 
activities 

s 

EO  12958  (a)(bj 

EO  13792. 1.4(b).  CCR  380-14 
(0110)  1.4(a):  A-23411 

C6A60CD5-1372-51CO-5S'P719B1101721C1 

9/17/2009 

Page  35 

operational  activities 

S/REL 

CCR  380- 14  (0109). 

A23.A-24;  EO 
13292, 1.4  (a) 

CCR  380-14  (0110)  1.4(a):A- 
22*7,  A-23*ll 

E87E01A4-99F5-466A-8D3B-803107B05933 

5/9/2007 

P»8t37 

operational  /  foreign  government 

s 

EO  12956  (a)(bl 

EO  13292.  1.4(b),  CCR  380-14 
(0110)  1.4(a):  A  23*ll 

ReportKey  42BCCB0A-E9:IS-4296-A783- 
DOB84BB70E37  occurred  12/28/2007  10:30 

Page  20 

operational  /  foreign  government 
activities 

S/REl 

EO  12958  (a](bl 

EO  13292.  1.4(b),  CCR  380-14 
(0110)  1.4(a):  A-23411 

ReportKey  F9B227A4-2861-4EAC  A8CF- 
6028C67DA78A  OeteOccjrred  1C/13/2006  0:00 
Page  41 

foreign  government  activities 

EO  128 58  (b) 

EO  13292. 1.4(b) 

ReportKey  FADBDC 1C-ES9B-7F41- 
27BEC0B99A5A32D3  OateOccurrec  10/14/200* 
8:50 

operational  activities 

S 

EO  129S8  (a) 

CCR  380-14  (QUO)  1.4(a):A- 
22 47,  A-23411 

ManningB_0057237 1 
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1 - 

{Identified  Document 

nformation  Revealing  (Per  CCR 

380-14)  < 

I 

Ilasslficatlon  < 

lasts  for  Original 

Dassificauon  1 

Iasls  for  Current  Classification 

072A84A3-OACC-4E47-A328-309FC84S24B2 

S/4/2006 

Page  1 

operational  activities 

S 

=0  12958  (a)  * 

XR  380-14  (0110)  1.4<a):A- 
!3W 

OAQ7EE5B-C792-fB6£-lF:i'.CD97EC38C10A 

6/23/2009 

Page  3 

operational  activities 

s 

:CR  380-14  10109). 

823;  EO  13292,  1  4  ( 
:a) 

:CR  380  19  (0110)  1.4(a)A- 
2247 

12S9C04A-F394-1AD1  3936CA2F53BA767F 
11/20/2009 

Pages 

operational  activities 

s 

ICR  380-14  (0109). 

A23;  EO  13292, 1.4  1 
la) 

:CR  38a  14  (0110)  1.4(a):A- 
2247 

13D4FAC8-29OC-4623-836C-3S40E8D30E2C 

11/30/2004 

operational  activities 

5 

EO  12958  (a) 

CCR  380-14  (01 10)  1.4(a)  A- 
23*9 

fteportKey  1D19ACO4-1E5B44EC-9D10- 
5D9S86ES1A4F  DateOco.rred  10/23/2005  0:04 

operational  /  foreign  government 
activities 

S/REl 

EO  12958  (a)(b) 

EO  13292, 1.4(b),  CCR  380-14 
(0110)  1.4(a):  A-2349 

ReportKey  22ABF58E-F618-4AlA-RFn7- 
29B80812S499  DateOcevifrec  9/14/2C05  14:48 
Page  10 

operational  activities 

s 

6012958  (a) 

CCR  38a  14  (0110)  1.4(a):  A- 
2247 

ReportKey  28628224-ABVf-lCF4- 
0O4SO88D3FFF86AF 

DateOccurred  6/28/2009  20:31  Page  13 

operational  activities 

CCR  380-14  (0109), 

A23;  EO  13292, 1.4 

(a) 

CCR38ai4  (0110)  1.4(a):  A- 
2247 

ReportKey  2974CC00-CE7943207- 
DE92D63C5E0443C6 

DateOccurred  11/24/2009  22:30 

operational  activities 

5 

CCR  380-14  (0109), 

A-24;  EO  13292, 

1.4  (a) 

CCR  380-14  (0110)  1.4(a);  A- 
23*9 

ReportICey  2FBD7A50-FE40-CE03- 
940107643A4SS299 

DateOccurred  6/30/2009  6:03 

operational  activities 

s 

CCR  380-14  (0109), 

A-24;  EO  13292, 

14  (a) 

CCR  380-14  (0110)  1.4(a):  A- 
2349, 11 

ReportKey  31D33B9C-42  1D-4S61- 
5E60C4F966A7AC4A  DatnOccurred  7/16/2008 
21.00 

operational  activities 

s 

EO  12958  (a) 

CCR  380-14  (0110)  1.4(a):  A- 
2349,11 

ReporiKey  31FFBCDE-9345-91A1- 
8AAAFA4EE2946AC6  DatiOccurred  10/7/2009 
16:32 

operational  activities 

s 

CCR  380- 14  (0109 1, 

A-24;  EO  13292, 
1.4(a) 

CCR  38ai4  (0110)  14(a):  A- 
2349, 11 

ReportKey  4SA8BAC8-42  3Q-4S6 1- 

50 A42 65 A85 16F886  DateOccjrred  10/28/2008 

15:30 

operational  activities 

s 

EO  12958  (a) 

CCR  38a  14  (0110)  1.4(a),  A- 
2349 

ReportKey  4  BF346FD-00<a-317C- 
7F8C9DF1692A10A0 

DateOccurred  12/18/20C8  20:38 

operational  activities 

EO  12958  (a) 

CCR  38a  14  (0110)  1.4(a):  A- 
2247.  A23411 

ReportKey  5910353A-924B-E44A- 
4D8023801CF6O4EB  DateOccurred  8/26/2009 
23.29 

operational  activities 

s 

CCR  380-14  (010°  . 

A23,  A-24;  60 
13292, 1.4  (a) 

CCR  380-14  10110)  1.4(a):  A- 
2247,  A2349, 11 

ReportKey  5EA96040-07  63-16AF- 
F8331D3576729E32 

DateOccurred  8/28/2006  2:20  Page  31 

operational  activities 

5 

CCR  380-14  (0109), 

A23,  A-24;  EO 
13292, 1.4  la) 

CCR  380- 14  (01 10)  1.4(a):  A- 
2247.A23411 

ReportKey  63S30DS6-A1=A-060E- 
332D4A7A0945F9PF  DateOccurred  S/21/2009 
10:38 

operational  activities 

5 

CCR  380-14  (0109), 

A23,  A-24;  EO 
13292, 1.4  (a) 

CCR  38ai4  (0110)  1.4(a):  A- 
2247,  A2  3411 

ReporiKey  66870323-0F.!7-A8El- 
85899AD  306525333 

DateOccurred  12/6/2006  23:20 

operational  activities 

5 

CCR  380-14  (0109). 

A23,  A-24;  EO 
13292.14(a) 

CCR  380-14(0110)  1.4(a):  A- 
2247,  A2  3411 

ReportKey  682B8A77  08A1-829B- 
86040FC83S232519 

DateOccurred  12/7/2006  1:28 

operational  activities 

s 

CCR  38a  14  (0109), 

A-24;  60  13292, 

14  (») 

CCR  38ai4  (0110)  1.4(a): 

A2349, 11 

ReportKey  6BOA16AB-87  3C-FC8C- 

02 20277732025 A48  OateOccurred  3/30/2009 

1531 

operational  activities 

s 

CCR  380-14  (0109), 

A23,  A-24;  EO 
13292.1.4(a) 

CCR  380-14  (0110)  1.4(a):  A- 
2247,  A23411 

ReportKey  6E901S33-47S9-4EB0-94D0- 
4F86S1BCDDEA  OateOccjrred  2/7/200S  23:45 
Page  43 

operational  activities 

s 

EO  12958  (a) 

CCR  380- 14  (0110)  1.4(a): 

A2349, 11 

ReportKey  6EAE5BD8-D470-05A6- 
S7109EC60AC3523C  DateOccurred  10/19/2009 
2126 

operational  activities 

5 

CCR  380-14  (0109), 

A23,  A-24;  EO 
13292. 1.4  (a) 

CCR  380-14  (0110)  1.4(a):  A- 
2247,  A23411 

ReportKey  719AB05C-8SA1*»2E5-81B2- 
FE334B6E469D  DaleOcctirred  10/15/2006  2107 
Page  46 

operational  activities 

s 

EO  12958  (a) 

CCR  380-14  (0110)  1.4(a):  A- 
2247,  A2  3411 
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CT1XE  IRAQ  EVENTS  [Past  2) 

CCJ3 

denuded  Document 

formation  Revealing  (Per  CCR 

80-14)  C 

B 

Ossification  C 

falsification  B 

lasts  for  Currant  Classification 

eportKey  74S09F9r>-«DA<»-iFC6-B976- 
8CB96363C66  OateOccurred  10/20/2006  14:00 

perational  /  foreign  government 
ctKrities 

S  E 

E 

O  12958  (a)(b)  11 

O  13292, 1.4(b),  CCR  380-14 
0110)1  4(a):  A2  3*9, 11 

eportKey  784D1EF4FCAC-4F2D-A7CB- 
93SE4DF82SB  OateOccurred  10/26/2C05 1530 

peratkmal  actlvltlet 

5  ( 

c 

iO  12958  la)  ‘ 

ICR  380-14  (0110)  1.4(e): 
k23*9 

eportKey  7S9FC769  C9A6-CCEA. 
B6199717B603D22 

perational  actlvltlet 

c 

S  1 

XR  380-14(011)91. 

t-2A:EO  13292  ( 

1.4  (a)  : 

!CR  380-14  (0110)1.4(1):  A- 
!3«8, 11 

ReportKey  799I74FB1DE0-4E5E-BE6C- 
6A649C2A49A7 

operational  /  foreign  government 
ctMties 

S/REl  1 

EO 12958  !a)(b>  ( 

;0  13292,  1.4(b).  CCR  380-14 

0110)  1.4(a):  A-23A9 

ReportKey  7f  12282C-5056-9023- 
5831E1SSA5AE2457 

operational  activities 

s 

1 

EO  129S8  (a) 

ECR  380-14  (0110)  1.4(a):  A* 

2247,  A23411 

ReportKey  818F138E-B29E-D68C- 
154BF72F771D019tl 

DateOccurred  S/27'2009 10:17 

operational  activities 

5 

CCR  380  lAiOIDJi 

A23.A-24,  EO 

13292.  1.4  (a) 

CCR  380-14  (0110)  1.4(a):  A- 
2247,  A23R11 

ReportKey  869470AB-F336-E06S- 
E1EC959B8746520C 

OateOccurred  7/16/2009  21:18 

operational  activities 

s 

CCR  380  14(0139), 

A23,  A-24:  EO 
13292,  1.4  (a) 

CCR  380  14  (0110)  1.4(a):  A- 
2247,  A23411 

ReportKey  884E3011-07(.7-6BBC- 
FAA65SFBC8738DC0 

operational  activities 

s 

CCR  380-14  (C109), 

A23,  A-24;  EO 
13292,  1.41a) 

CCR  380  14  (0110)  1.4(a):  A- 

ReportKey  8D8C41 18-60:6-4935- 
86EDE2C6075EFCC5 

operational  activities 

s 

CCR  380-14  1010=  ..  1 

A-24;  E0  13292.  CCR  380-14  (0110)  1.4(a):  A- 

1.4(a)  1 23*9, 11 

ReportKey  8EE0DS55-B6I F-0E43- 
5CC7109B02A929EB 

DateOccurred  10/2S/2003  20:04 

operational  activities 

s 

CCR  380-14  (0109),  | 

A-24;  EO  13292,  CCR  380-14  (0110)  1.4(a):  A- 
1.4(a)  (23*9, 11 

ReportKey  99C3B668-F  76B-4FAF- 
B389DAAS081A6818 

OateOccurred  9/8/2009  11:35 

operational  activities 

CCR  380-14  (0109),  j 

A23,  A-24;  EO 
13292, 1.4  ia) 

CCR  380-14  (0110)  1.4(a):  A- 
22*7,  A23811 

ReportKey  9A037F66-0903-E779- 
A3B1025  D2C7A6B5A 

OateOccurred  9/8/2009  '-OOP 

operational  activities 

$ 

CCR  380-14  (013-9), 

A23,  A-24;  EO 
13292.1.4(a) 

CCR  380-14  (0110)  1.4(a):  A- 
72*7,  A23»ll 

ReportKey  A2AB1E80-ACX6EF19- 
BFAA52006ACCEC10 

DateOccurred  9/9/2009  1 :23 

operational  activities 

s 

CCR  380-14  (0109), 

A-24;  EO  13292. 
1.4(a) 

CCR  380*14(0110)  1.4(a):  A- 
2349. 11 

ReportKey  A2C1B4 15-A2 =B-S80B- 
413SA3FD37FE8C89 

DateOccurred  3/12/2008  10:30 

operational  activities 

s 

EO  12958  (a) 

CCR  380-14  (0110)  1.4(a);  A- 
2348,  11 

ReportKey  B068D03D-BSS4  -B59E- 
9C81 18749180 6597 

DateOaurred  1/7/2009  11:28 

operational  activities 

s 

EO  129S8  (a) 

CCR  380-14  (0110)  1.4(a):  A. 
23*9,11 

ReportKey  B278S76F-0215-3CEC- 
C70471SA7DACE230 

DateOccurred  9/30/2008  9:S1 

operational  activities 

s 

EO  12958  (a) 

CCR  380-14  (0110)  1.4(a);  A- 
22*7.  A23*U 

ReportKey  B4FSA6'9-78D2-«C65-B1S3- 
7372476EEE77 

DateOccurred  10/23/20CS  0:25 

operational  /  foreign  government 
activities 

s 

EO  12958  (a)(bi 

EO  13292,  1.4(b),  CCR  380- 14 
(0110)  14(a):  A2389.ll 

ReportKey  B54060D2-A1A2-182C- 
507A500EDF4C4412 

DateOccurred  9/13/2009  14:14 

operational  activities 

5 

CCR  380-14(0109,, 

A-24;  EO  13292, 

14  (a) 

CCR  380-14  (0110)  1.4(a):  A- 
23*9,  11 

ReportKey  BE0A29E9-DC  20-456E-9D31- 
3DA1F 1A1453B 

DateOccurred  3/11/200E  19:03 

operational  activities 

5 

EO  12958  (a) 

CCR  380-14  (0110)  1.4(a):  A- 
23*8 

ReportKey  BFBCE4CS-A390-F6A&- 
AD090F08AEF99486 

DateOccurred  11/4/200S  2:16 

operational  activities 

5 

CCR  380-14  (0109) 

A-24;  EO  13292, 
1.4(a) 

CCR  380-14  (0110)  1.4(a):  A- 
23*9, 11 

ReportKey  C2967SF2-C99E-BB02- 
B494FA60186A8D78 

DateOccurred  10/3/2008  9-55 

operational  activities 

s 

EO  12958  (a! 

CCR  380-14  (0110)  1.4(a):  A- 
23*8,11 

ReportKey  C43B433-DB57-43E5-8644- 
627703FE3BA9 

DateOccurred  10/22/20C5  21*48 

operational  /  foreign  government 
activities 

5 

EO  12958  (a)(b) 

EO  13292, 1.4(b),  CCR  380-14 
(0110)  1.4(a):  *23*9, 11 

ReportKey  C476C534-0C62-E828- 
1E79S9612A44868F 

DateOccurred  12/2S/20C9  7:16 

operational  activities 

s 

CCR  380  U  (OltN! 

A-24;  EO  13292. 

CCR  380-14  (01 10)  1.4(a):  A- 
23*9, 11 
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CG3 

Identified  Document 

nformation  Revealing  (Per  CCR 
380-14) 

Classification 

Basis  for  Originjl 
Classification 

Basis  for  Current  Classification 

ReportKey  31E6C4SB-ECJ0  IFCV) 
5571AE99SA6B1F63 

DateOccurred  11/7/2009  21-45 

operational  activities 

5 

CCR  380  14 10109;, 

A-24;  CO  13292. 
14(a) 

CCS  380-14  (0110)  1.4(a):  A- 
2349, 11 

ReportKey  D637F898-F528-E5C8- 
F0FA312483CB9A4H 

DateOccuried  1/14/2009  5:C0 

operational  activities 

s 

CCR  380-14  (01391, 

A-24;  EO  13202. 

1.4  (a) 

CCR  380-14  (01 10)  1.4(a):  A- 
23*9,11 

ReportKey  DAAE0EK8-A4F1C6SS- 
F917CFD9AC28E71H 

DateOccurred  8/2/2009  8  00 

operational  activities 

CCR  380-14  (0109;, 

A-24;  EO  13292.  i 
1-4  (a) 

CCR  380-14(0110)1  4(a):  A- 
23«9, 11 

ReportKey  DF4783E0  90S6-B43F- 
60B01DDBAEB530!-® 

DateOccurred  1/16/2009  7:30 

operational  activities 

5 

CCR  380-14  (0109; 

A-24;  EO  13292. 

1.4  (a) 

CCR  380-14  (0110)  1.4(a):  A- 
23*9. 11 

ReportKey  0F6BE80E-05S3-C2FC- 
01A7E6ED190D3AFA 

DateOccurred  4/25/2009  13:40 

operational  activities 

s 

CCR  380-14  (01001. 

A-24;  EO  13292, 

1.4  (a) 

CCR  380-14  10110)  1.4(a):  A- 

ReportKey  E30AD025-E10B-4020-9SES- 
0AC80ECF874B 

OateOccurred  8/8/2006  21:57 

operational  activities 

s 

EO  12958  (a) 

CCR  380-14  (0110)  1.4(a):  A- 
23411 

ReportKey  E7EFF3A9-A1F7-1D26- 
8D12BEB372D2AC54 

DateOccurred  6/16/2009  7:59 

operational  activities 

s 

CCR  380- U 10109), 

A23,  A-24;  EO 
13292, 1.4  (a) 

CCR  380-14  (0110)  1.4(a):  A- 
2247.A73411 

ReportKey  F1F1FEFS-B274-F765- 
SA47F5C322B64F84 

OateOccurred  9/11/2007 1:34 

operational  activities 

s 

EO  12958  (a) 

CCR  380-14  (0110)  1.4(a):  A- 
23*9, 11 

Page  4  of  7 


ManningB_00572374 


o 


J 


CCJ3  j 

identified  Document 

nformatlon  Revealing  (Per  CCR 
W0-14)  ( 

falsification 

Sasls  for  Ongir.il 
Classification  ! 

lexis  for  Current  Classification 

Brief  To  GEN  P  Findings  *nd  Rees  a  June,  No 

year  found 

operational  activities 

S/REl 

[0  13292.1.4(a)  ) 

XR  WO  14  (0110)  1.4(a),  A- 

14X12 

Chat  Lop  (CENTCOM)  No 

operational  activities 

S 

XR  380- :  4  (0109) 
1.4(a),  A-23;  EO  ( 
13292,  1.4  (a) 

XR  380-14  (0110)  14(a),  A- 
22*6 

Farih  Brief  FINAL  vl  21  May  09 

operational  activities 

S/REL 

CCR  380- 14  (OIOS;, 

A-24;  £013292.  I 

1.4  (a) 

CCR  380-14  (01 10)  1.4(a);  A- 
23*11 

Farah  Brief  FINAL  vS  24  MayC9 

operational  activities 

S/REl 

CCR  380  14  (0109 

A-24;  EO  13292 

1.4  (a) 

CCR  380-14  (0110)  1.4(a);  A- 
23*11 

Farah  INS  Probably  Deiiberatley  Instigate  4  May 
CIVCAS  Incident  Srategic  Intel  brief,  10  May 

2009 

Interim  Report  Farah  CIVCAS  Investigation  to  Cen 

OFF  SUPPORT  FARAH  FIT  Powerpolr.t  document 
May  2009 

f  INAl  ■  10'S  REPORT  (OS  20002  JUN  09 
(SIGNEDKmlnlmreo)  (3) 

operational  activities 

s 

CCR  380-14  (0109), 

A-25;  EO  13292, 

1-4  (a) 

CCR  380-14  (0110)  1.4(a).  A- 
24*12 

TAB  A  Appendix  1  (CJSOTF  FRAGO  02  • 
OPERATIONAL  GUIDANCE)  29  Ian  09 

operational  activities 

S/REL 

EO  13292, 1.4  (a) 

CCR  380-14  (0110)  1.4(a),  A- 

APPENDIX  2  TO  ANNEX  C  TO  FRAGO  08.003;  29 

Oct  08 

_ 

APPENDIX  3  TO  ANNEX  C  FRAGC  08 .0C3: 29  Oct 

08 

APPENDIX  4  TO  ANNEX  C  FRAGC  08.X3;  29  Oct 

08 

TA8  A  Append*  S  (USCENTCOM  Tactic*  Directive 
-OEFAFG)  12  Sep  08 

operational  activities 

s 

EO  13292, 14  (a) 

CCR  380  14  (0110)  1.4(a).  A- 

24412 

TAB  A  Appendix  6  (Pio  Policy)  20  Dec  03 

operational  activities 

S/REL 

EO  13292, 1.4(a) 

CCR  380-14(0110)  1.4(a),  A- 

24*12 

tab  A  Appendix  10  (USFOR-A  =RAGO  CS-003  - 
CIVCAS  PROCEDURES)  Sep  08 

operational  activities 

S/REl 

EO  13292, 1.4  (a) 

CCR  380-14(0110)  1.4(a),  A- 
24*12 

TAB  0  Appendix  6  (8213  QRF  CONO»)  4  May  09 

operational  activities 

S 

CCR  380-14  (0109), 

A-24;  EO  13292. 
14(a) 

CCR  38C-14  (0110)  1.4(a),  A- 
23411 

TAB  C  Append*  2  {Strategic  Intel  br  ef)  10  May 
09 

noJ3equltes 

noJ3eqult« 

no  13  equltei 

tab  0  Appendix  7  (8141  initial  TIC  Slide)  4  May  09 

operational  activities 

s 

CCR  380-14(0109'. 

A-24;  60  13292, 

1.4  (a) 

CCR  380-14  (0110)  1.4(a),  A- 
23411 

TA8  A  Appendix  2  (FRAGO  429-2X8  COMISAF 
TAC  DIR)  B  Dec  08 

ISAF/NATO/S 

TAB  A  Appendix  12  (USCENTCOM 
CONSOLIDATED  SERIAL  ONE  RULES  OF 
ENGAGEMENT  FOR  OPERATION  ENDURING 

operational  activities 

s 

EO  13292, 1.4  (a) 

CCR  380-14  (0110)  1.4(a),  A- 
26*19 

VIDEO  [BE  22  PAX),  Mey  2009 

operational  activities 

s 

CCR  380- 14  (0109' 

A-24;  EO  13292, 
1.4  |a) 

'  CCR  380-14  (0110)  1.4(a),  A- 
23*11 
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EXTRA  10  DOCUMENTS 


identified  Oocument 

nfommlon  Revealing  (Per  CCR 
380-14) 

Classification 

Classification 

Basis  for  Current  Classification 

ReportKey  08836010-9 131-  1CA0- 
1CS64QA34263A61E  DateOccurred  8/28/2008 

7:55 

Pag.l 

operational  activities 

s 

EO  1295S  (a) 

EO  13292.  1.4(a).  CCR  380-14 
(0110)  14(a):  A-23, 48.811 

Report  Key  09A6302C-08F1-4288- 
837D88C5A3A7FC0O  DateOccurred  7/9/2008  4:42 
Pate  2 

operational  activities 

• 

EO 12958  (al 

EO  13292,  1.4(a),  CCR  380-14 
(0110)  1.4(a):  A-23,  88,811 

ReportKey  10CF802B-D020-91E8- 
240C62896F67ODD7  DateOccurred  12/7/2008 
5:12 

Page  3 

operational  activities 

• 

EO  12958  la) 

EO  13292,  1.4(a),  CCR  380-14 
(0110)  1.4(a):  A-23,  #8.#11 

ReportKey  1E14FD20-8DAF-AB87- 
0E6E883C0084S042  OateOccurrad  12/9/2008 
18:50 

Pages 

operational  activities 

S 

EO  12958  la) 

EO  13292, 1.4(a),  CCR  380-14 
(0110)  1.4(a):  A-22  »7,  A-23  ill 

ReportKey  50BE089C-DC09-7406- 

A 1 BD609E 9762 2EE0  DateOccurred  a/17/2008 

15:22 

Paga6 

operational  activities 

5 

EO  12958  (a) 

EO  13292, 1.4(a),  CCR  380-14 
(0110)  1.4(a):  A-23,  88,811 

ReportKey  61FF7036-9FFB-C70S- 
510C59CB08EDD4SS  DateCccur'ed  11/3/2008 
8:45 

Page  7 

operational  activities 

s 

EO  12958  (a) 

EO  13292, 1.4(a),  CCR  380-14 
(0110)  1.4(a):  A-23. 88,811 

ReportKey  6E72B4E1-FD82-8C81- 
44S70CFBE8563B00  DateOccurred  7/29/2008 
6:40 

Page  8 

operational  activities 

s 

EO  12958  (a) 

EO  13292, 1.4{a|,  CCR  380-14 
(0110)  1.4(a):  A-23  811 

ReportKey  72F3566A-F0F4-56B9- 
2390E8O80BEC6557  DateOccurred  7/3C/20O8 
2:00 

Page  9 

operational  activities 

s 

EO  12953  (a) 

EO  13292.  1.4(a).  CCR  380-14 
(0110)  1.4(a):  A-23,  88,811 

ReportKey  73BEF45B-C7f8-9S01 

A66 7980209176352  DateOccurred  2/14/2009 
6:12 

Page  10 

operational  activities 

s 

CCR  3*0-14  (0109) 
1.4(a).  A-23:  EO 
13292, 1.4  (a) 

EO  13292, 1.4(a),  CCR  380-14 
(0110)  1.4(a):  A-22  »7,  A-23  all 

ReportKey  7S15D2A2-96B3-D28S- 
1B8F169C2E5B6C1 1  OateOccuved  7/30/2008 
3:15 

Page  11 

operational  activities 

5 

EO  12958  (a) 

EO  13292,  1.4(a),  CCR  380-14 
(01 10)  1.4(a):  A-22  87,  A  23  811 

ReportKey  89843A40-0S73-8F32- 
20B3AOC3CE56C3C3  DateOccurred  4/26/2008 
4:«5 

Page  12 

operational  activities 

s 

EO  12958  (a) 

EO  13292, 1.4(a),  CCR  380-14 
(0110)  1.4(a):  A-22  87,  A-23  811 
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identified  Document 

nformation  Revealing  (Per  CCR 
380-14) 

Classification 

Basil  for  Original 
Classification  1 

Basts  for  Current  Classification 

ReportKey  8CSS09D2-016D-74S7- 
AFS8SB2401D5ECD4  OateOccurred  12/31/2008 
655 

operational  activities 

s 

FO  12958  la, 

EO  13292. 14(a),  CCR  380  14 
(0110)  1.4(a):  A-22  87,  A-23  #11 

ReportKey  9A1EC6C6-CDC9-7AC5- 
75AA98A901 B62560  OateOccurred  6/18/2008 

2:30 

operational  activities 

5 

EO 12958  (a) 

EO  13292, 1.4(a|,  CCR  380-14 
(01 1C)  14(a):  A-22  47,  A-23  411 

PtportKcy  B4EDA65C-C7 14-5FA6- 
42AEE13S7S5CAD7F  DatfOcairred  1/8/2009  4:52 

Pile  IS 

operational  activities 

5 

EO 12958  (a) 

EO  13292,  1.4(a).  CCR  380-14 
(0110)  1.4(a):  A-22  *7.  A-23  all 

ReoortKey  B4EOA65C-C714-5FA6- 
42AEE135755CAD7F  nateOcc.rrd  1/E/20C9  4:52 

Page  16 

operational  activities 

S 

EO  12958  (a) 

EO  13292. 1.4(a),  CCR  380-14 
(0110)  1.4(a):  A-23.  48, 111 

ReportKey  8SS2CDO2-0E11-C493- 
E62E77C8D688CD9D  OateOccurred  1V19/2008 
10:55 

Page  17 

operational  activities 

s 

EO  129S8  (a) 

EO  13292, 1.4(a).  CCR  380-14 
(0110)  1.4(a):  A-23,  »8.411 

ReportKey  C0BA48C6-A6698E9S- 
9C7E62077BF8D759  OateOccurred  6/28/2008 
4:17 

Page  18 

operational  activities 

s 

EO  12958  (a) 

EO  13292. 1.4(a),  CCR  380  14 
(0110)  1.4(a):  A-22  47,  A-23  411 

ReportKey  E43C1C21-0FD1-313F- 
8C4D5B9CFB2BA03D  OateOccurred  1/5/2009 

S.30 

Page  20 

operational  activities 

s 

EO  12958  (a) 

EO  13292, 1.4(a),  CCR  380-14 
(0110)  1.4(1):  A-23,  48,411 

ReportKey  F5S4AA£4-C468-36SF- 
45BFCD8E63953D7F  DiteOccurred  10/13/2008 
7:00 

Page  21 

operational  activities 

S 

EO  12958  (a) 

EO  13292. 1.4(a),  CCR  380-14 
(0110)  1.4(a);  A-23, 48.411 

ReportKey  FADBDC1C-FS9B-/F41- 
27BEC0B99ASA32D3  OateOccurred  10/14/2008 
8:50 

Page  22 

operational  activities 

5 

EO  12958  (a) 

EO  13292.  1.4(a),  CCR  380-14 
(0110)  1.4(a):  A-22  47,  A-23  411 
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UNCLASSIFIED 


(U)  DECLARATION 


(U)  I,  LIEUTENANT  Thomas  Hoskins,  declare  and  state:  lam  the  subject  matter  expert  for  ihe  Directoraic  of 
Strategy.  Plans,  and  Policy  (JS)  for  classification  reviews.  In  this  capacity,  I  reviewed  documents  pertaining  to 
United  States  v.  PnvjMy  First  Clas;  Bradley  Manning,  which  the  Manning  trial  team  provided  to  USCF.NTCOM. 

My  recommendations  to  the  Original  Classification  Authority  (OCA)  in  regard  to  the  proper  classification  of  these 
documents  are  contained  on  the  attached  list  (containing  a  total  of  nineteen  pages)  and  are  hereby  incorporated  into 
this  declaration. 

(U)  Pursuant  to  28  U.S.C.  §  1746,  l  declare  under  penalty  of  pojury  that  the  information  provided  herein  is  tree  and 
correct  to  the  best  of  my  knowledge. 

Dated:  2  /  October  2011 


Thomas  Hoskins 

Lieutenant,  U,S.  Navy 
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PAGE _ OF _ PAGES 


[identified  Document 

Information  Revealing 
(Per  CCR  380-14) 

Classification 

Basis  for  Original 

Classification 

Basis  for  Current 

Classification 

CIDNE-A  SIGACTS,  3/2/2008 

12.  Operational  Code 
Words 

Secret 

CCR  380-14, 
0109/CG5-P 

CCR  380-14, 

0110/CG5-P 

CIDNE-I  SIGACTS,  5/4/2006 

12.  Operational  Code 
Words 

Secret 

CCR  380-14, 
0109/CCJ5-P 

CCR  380-14, 

0110/CG5-P 

CIDNE-I  SIGACTS,  5/4/2007 

1.  Characteristics  of  US 
weapons  and  related 
sustainability 

Secret 

CCR  380-14, 
0109/CCJ5-P 

CCR  380-14, 
0110/CG5-P 

CIDNE-I  SIGACTS,  5/4/2008 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

Secret 

CCR  380-14, 
0109/CG5-P 

CCR  380-14, 
0110/CG5-P 

10's  General  Findings 
Powerpoint  document 

9.  Limitations  and 
vulnerabilities  of  US 

forces  in  the  combat 

area. 

S//REL  ACGU 

CCR  380-14, 
0109/CG5-P 

CCR  380-14, 
0110/CG5-P 

Interim  Report,  Farah 
CIVCAS  Investigation,  22 

May  09 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

S//REL 

CCR  380-14, 
0109/CG5-P 

CCR  380-14, 
0110/CG5-P 
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Interim  Report,  Farah 
CIVCAS  Investigation,  22 
May  09 

12.  Operational  Code 

Words 

S//REL 

CCR  380-14, 
0109/CCJ5-P 

CCR  380-14, 
0110/CCJ5-P 

Interim  Report  Farah 

CIVCAS  Investigation  to  Gen 
Petraeus,  25  May  09 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

S//REL 

CCR  380-14, 
0109/CCJ5-P 

CCR  380-14, 
0110/CCJ5-P 

Interim  Report  Farah 

CIVCAS  Investigation  to  Gen 
Petraeus,  25  May  10 

12.  Operational  Code 
Words 

S//REL 

CCR  380-14, 
0109/CCJ5-P 

CCR  380-14, 
0110/CCJ5-P 

MEMORANDUM  FOR 
Commander,  United  States 
Central  Command 

SUBJECT:  Report  of  AR  15-6 
Investigation  into 
Allegations  of  Civilian 
Casualties  on  4  May  2009  in 
the  Vicinity  of  Bala  Balouk, 
Farah  District,  Herat 
Province,  Afghanistan 

3.  Concept  of  operations 
including  order  of  battle, 
execution  circumstances, 
operating  locations, 
resources  required, 
tactical  maneuvers, 
deployments,  actions 
and  objectives 

S/RELTO  USA, 
ISAF, 

NATO/MR) 

CCR  380-14, 
0109/CG5-P 

CCR  380-14, 
0110/CCJ5-P 
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MEMORANDUM  FOR 

Commander,  United  States 

Central  Command 

SUBJECT:  Report  of  AR  15-6 
Investigation  into 
Allegations  of  Civilian 
Casualties  on  4  May  2009  in 
the  Vicinity  of  Bala  Balouk, 
Farah  District,  Flerat 
Province,  Afghanistan 

12.  Operation  code 
words. 

S/REL  TO  USA, 
ISAF, 

NATO/MR) 

CCR  380-14, 
0109/CCJ5-P 

CCR  380-14, 
0U0/CCJ5-P 

MEMORANDUM  FOR 
Commander,  United  States 
Central  Command 

SUBJECT:  Report  of  AR  15-6 
Investigation  into 

Allegations  of  Civilian 
Casualties  on  4  May  2009  in 
the  Vicinity  of  Bala  Balouk, 
Farah  District,  Herat 
Province,  Afghanistan 

1.  Characteristics  of  US 
weapons  and  related 
sustainability 

S/REL  TO  USA, 
ISAF, 

NATO/MR) 

CCR  380-14, 
0109/CCJ5-P 

CCR  380-14, 
0110/CCJ5-P 
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MEMORANDUM  FOR 

Commander,  United  States 
Central  Command 

SUBJECT:  Report  of  AR  15-6 
Investigation  into 
Allegations  of  Civilian 
Casualties  on  4  May  2009  in 
the  Vicinity  of  Bala  Balouk, 
Farah  District,  Herat 
Province,  Afghanistan 

9.  Limitations  and 

vulnerabilities  of  US 

forces  in  the  combat 

area. 

S/RELGCTF) 

CCR  380-14, 
0109/CG5-P 

CCR  380-14, 
0110/CG5-P 

GSOTF-A  OPORD  09-01, 
OEFXIII  (AFGHANISTAN),  01 
OCT  08 

3.  Concept  of  operations 
including  order  of  battle, 
execution  circumstances, 
operating  locations, 
resources  required, 
tactical  maneuvers, 
deployments,  actions 
and  objectives 

SECRET//REL 

GCTF 

CCR  380-14, 
00501/CG5-P 

CCR  380-14, 
0110/CG5-P 

GSOTF-A  OPORD  09-01, 
OEFXIII  (AFGHANISTAN), 01 
OCT  09 

7.  Flexible  Deterrent 
Options 

SECRET//REL 

GCTF 

CCR  380-14, 
00501/CG5-P 

CCR  380-14, 
0110/CG5-P 

GSOTF-A  OPORD  09-01, 
OEFXIII  (AFGHANISTAN),  01 
OCT  10 

12.  Operational  Code 
Words 

SECRET//REL 

GCTF 

CCR  380-14, 
00501/CG5-P/A-39/ 

CCR  380-14, 
0110/CG5-P 

GSOTF-A  OPORD  09-01, 
OEFXIII  (AFGHANISTAN),  01 
OCT  11 

9.  Limitations  and 

vulnerabilities  of  US 

forces  in  the  combat 

area. 

SECRET//REL 

GCTF 

CCR  380-14, 
00501/CG5-P 

CCR  380-14, 
0110/CG5-P 
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USFOR-A  FRAGO  08-003 
CIVCAS  PROCEDURES 

12.  Operational  Code 
Words 

SECRET//  USA 
NATO 

CCR  380-14, 
00501/CCJ5-P 

CCR  380-14, 
0110/CCJ5-P 

APPENDIX  2  TO  ANNEX  C 

TO  FRAGO  08.003 

3.  Concept  of  operations 
including  order  of  battle, 
execution  circumstances, 
operating  locations, 
resources  required, 
tactical  maneuvers, 
deployments,  actions 
and  objectives 

SECRET//REL 
ISAF,  NATO 

CCR  380-14, 
00501/CCJ5-P 

CCR  380-14, 
0110/CCJ5-P 

APPENDIX  3  TO  ANNEX  C 

FRAGO  08.003 

3.  Concept  of  operations 
including  order  of  battle, 
execution  circumstances, 
operating  locations, 
resources  required, 
tactical  maneuvers, 
deployments,  actions 
and  objectives 

SECRET//REL 
ISAF,  NATO 

CCR  380-14, 
00501/CCJ5-P 

CCR  380-14, 
0110/CCJ5-P 

APPENDIX  4  TO  ANNEX  C 

FRAGO  08.003 

3.  Concept  of  operations 
including  order  of  battle, 
execution  circumstances, 
operating  locations, 
resources  required, 
tactical  maneuvers, 
deployments,  actions 
and  objectives 

SECRET//REL 
ISAF,  NATO 

CCR  380-14, 
00501/CG5-P 

CCR  380-14, 
0110/CG5-P 
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USCENTCOM 

CONSOLIDATED  SERIAL  ONE 

RULES  OF  ENGAGEMENT 

FOR  OPERATION  ENDURING 

FREEDOM  MOD  002 

12.  Operational  Code 
Words 

SECRET// 

NONE 

CCR  380-14, 
00501/CCJ5-P 

CCR  380-14, 
0110/CCJ5-P 

USCENTCOM 

CONSOLIDATED  SERIAL  ONE 

RULES  OF  ENGAGEMENT 

FOR  OPERATION  ENDURING 

FREEDOM  MOD  003 

3.  Concept  of  operations 
including  order  of  battle, 
execution  circumstances, 
operating  locations, 
resources  required, 
tactical  maneuvers, 
deployments,  actions 
and  objectives 

SECRET// 

NONE 

CCR  380-14, 
00501/CG5-P 

CCR  380-14, 
0110/CCJ5-P 

USCENTCOM 

CONSOLIDATED  SERIAL  ONE 

RULES  OF  ENGAGEMENT 

FOR  OPERATION  ENDURING 

FREEDOM  MOD  004 

9.  Limitations  and 

vulnerabilities  of  US 

forces  in  the  combat 

area. 

SECRET// 

NONE 

CCR  380-14, 
00501/CCJ5-P 

CCR  380-14, 
0U0/CCJ5-P 

FRAGO  429-2008  COMISAF 

TACTICAL  DIRECTIVE  and 

attachment 

3.  Concept  of  operations 
including  order  of  battle, 
execution  circumstances, 
operating  locations, 
resources  required, 
tactical  maneuvers, 
deployments,  actions 
and  objectives 

NATO/ISA  F 
SECRET  RELTO 

GCTF 

CCR  380-14, 
00501/CCJ5-P 

CCR  380-14, 
0110/CCJ5-P 
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FRAGO  429-2008  COMISAF 

TACTICAL  DIRECTIVE  and 

attachment 

12.  Operational  Code 
Words 

NATO/ISAF 
SECRET  RELTO 

GCTF 

CCR  380-14, 
00501/CCJ5-P 

CCR  380-14, 
0110/CCJ5-P 

FRAGO  429-2008  COMISAF 

TACTICAL  DIRECTIVE  and 

attachment 

9.  Limitations  and 

vulnerabilities  of  US 

forces  in  the  combat 

area. 

NATO/ISAF 
SECRET  RELTO 

GCTF 

CCR  380-14, 
00501/CG5-P 

CCR  380-14, 
0110/CCJ5-P 

FRAGO  429-2008  COMISAF 

TACTICAL  DIRECTIVE  and 

attachment 

8.  Estimate  of 
operational  effectiveness 
of  intelligence, 
counterintelligence, 
rescue,  and 
reconnaissance 

NATO/ISAF 
SECRET  RELTO 

GCTF 

CCR  380-14, 
00501/CCJ5-P 

CCR  380-14, 
0110/CCJ5-P 

FRAGO  429-2008  COMISAF 

TACTICAL  DIRECTIVE  and 

attachment 

2.  Communication 
effectiveness, 
sustainability,  limitations 

NATO/ISAF 
SECRET  RELTO 

GCTF 

CCR  380-14, 
00501/CCJ5-P 

CCR  380-14, 
0U0/CCJ5-P 

USCENTCOM  Tactical 

Directive  -  OEF  AFG 

9.  Limitations  and 

vulnerabilities  of  US 

forces  in  the  combat 

area. 

SECRET 

CCR  380-14, 
00501/CCJ5-P 

CCR  380-14, 
0110/CCJ5-P 

USCENTCOM  Tactical 

Directive  -  OEF  AFG 

3.  Concept  of  operations 
including  order  of  battle, 
execution  circumstances, 
operating  locations, 
resources  required, 
tactical  maneuvers, 
deployments,  actions 
and  objectives 

SECRET 

CCR  380-14, 
00501/CCJ5-P 

CCR  380-14, 
0110/CCJ5-P 
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CENTCOM  PID  Policy,  Dtg: 
200053Z  Dec  08 

3.  Concept  of  operations 
including  order  of  battle, 
execution  circumstances, 
operating  locations, 
resources  required, 
tactical  maneuvers, 
deployments,  actions 
and  objectives 

SECRET/  AUS/ 
CAN/ GBR/ 

USA 

CCR  380-14, 
00501/CCJ5-P 

CCR  380-14, 
0110/CG5-P 

CENTCOM  PID  Policy,  Dtg: 
200053Z  Dec  09 

9.  Limitations  and 

vulnerabilities  of  US 

forces  in  the  combat 

area. 

SECRET/  AUS/ 
CAN/ GBR/ 

USA 

CCR  380-14, 
00501/CG5-P 

CCR  380-14, 
0110/CG5-P 

CENTCOM  PID  Policy,  Dtg: 
200053Z  Dec  10 

8.  Estimate  of 
operational  effectiveness 
of  intelligence, 
counterintelligence, 
rescue,  and 

reconnaissance 

SECRET/  AUS/ 
CAN/  GBR/ 

USA 

CCR  380-14, 
00501/CCJ5-P 

CCR  380-14, 
0110/CG5-P 

Farah  INS  Probably 
Deliberatley  Instigate  4 

May  CIVCAS  incident, 
Strategic  Intel  brief,  10  May 
2009 

12.  Operational  Code 
Words 

SECRET//FGI 
GBR//REL  TO 
USA,  ACGU 

CCR  380-14, 
0109/CG5-P 

CCR  380-14, 
0110/CG5-P 

Farah  INS  Probably 
Deliberatley  Instigate  4 

May  CIVCAS  incident, 
Strategic  Intel  brief,  10  May 
2010 

9.  Limitations  and 

vulnerabilities  of  US 

forces  in  the  combat 

area. 

SECRET//FGI 
GBR//RELTO 
USA,  ACGU 

CCR  380-14, 
0109/CG5-P 

CCR  380-14, 
0110/CG5-P 
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URF  SUPPORT  FARAH  ETT 
PowerPoint  document 
(8141) 

12.  Operational  Code 
Words 

SECRET//NOF 

ORN//ORCON 

25X-1  HUMAN 

CCR  380-14, 
0109/CCJ5-P 

CCR  380-14, 
0110/CCJ5-P 

QRF  SUPPORT  FARAH  ETT 
PowerPoint  document 
(8141) 

3.  Concept  of  operations 
including  order  of  battle, 
execution  circumstances, 
operating  locations, 
resources  required, 
tactical  maneuvers, 
deployments,  actions 
and  objectives 

SECRET//NOF 
ORN//ORCON 
25X-1  HUMAN 

CCR  380-14, 
0109/CCJ5-P 

CCR  380-14, 
0110/CG5-P 

QRF  SUPPORT  FARAH  ETT 
PowerPoint  document 
(8213) 

12.  Operational  Code 
Words 

SECRET//NOF 
ORN//ORCON 
25X-1  HUMAN 

CCR  380-14, 
0109/CCJ5-P 

CCR  380-14, 
0110/CG5-P 

QRF  SUPPORT  FARAH  ETT 
Powerpoint  document 
(8213) 

3.  Concept  of  operations 
including  order  of  battle, 
execution  circumstances, 
operating  locations, 
resources  required, 
tactical  maneuvers, 
deployments,  actions 
and  objectives 

SECRET//NOF 
ORN//ORCON 
25X-1  HUMAN 

CCR  380-14, 
0109/CG5-P 

CCR  380-14, 
0110/CG5-P 

8141  Initial  TIC  Slide 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0109/CCJ5-P 

CCR  380-14, 
0110/CG5-P 

8141  Initial  TIC  Slide 

20.  Target  area  weather 
information 

SECRET 

CCR  380-14, 
0109/CCJ5-P 

CCR  380-14, 
0110/CG5-P 
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(EXPLOSIVE  HAZARD)  IED 
FOUND/CLEARED  RPT 
(VOIED)TF 

WORKHORSE/RCP  2  :  0 
INJ/DAM 

12.  Operational  Code 

Words 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
FOUND/CLEARED  RPT 
(VOIED)TF 

WORKHORSE/RCP  2  : 0 
INJ/DAM 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
FOUND/CLEARED  RPT 
(Components)  RC 

EAST/ANP  :  0  INJ/DAM 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
FOUND/CLEARED  RPT 
(Components)  RC 

EAST/ANP :  0  INJ/DAM 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
FOUND/CLEARED  RPT 
(VOIED)  ANP/ 4-320  FA 
(TM  KHOST)  /  EOD  TM  3  / 
716  : 0  INJ/DAM 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 
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(EXPLOSIVE  HAZARD)  IED 
FOUND/CLEARED  RPT 
(VOIED)  ANP/ 4-320  FA 
(TM  KHOST)  /  EOD  TM  3  / 
716 : 0  INJ/DAM 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 

01 10/CG5-P/  A-39/ 

(EXPLOSIVE  HAZARD) 
INTERDICTION  RPT 
(Components)  TF  2-2  :  1  UE 
KIA1UE  WIA7UEDET 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

(EXPLOSIVE  HAZARD) 
INTERDICTION  RPT 
(Components)  TF  2-2  : 1  UE 
KIA1UE  WIA7UEDET 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CG5  -  P/A- 13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
FOUND/CLEARED  RPT 
(Components)  TF 
HELMANDIVO  (ROUTE  1):  0 
INJ/DAM 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CG5-  P/A- 13/ 

CCR  380-14, 

0 1 10/CCJ5-  P/A-39/ 
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(EXPLOSIVE  HAZARD)  IED 
FOUND/CLEARED  RPT 
(Components)  TF 

HELMAND  IVO  (ROUTE  1):  0 
INJ/DAM 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 
US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
FOUND/CLEARED  RPT 
(VOIED)  ANA  /  D  COY  :  0 
INJ/DAM 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
FOUND/CLEARED  RPT 
(VOIED)  ANA/ D  COY:  0 
INJ/DAM 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
FOUND/CLEARED  RPT 
(CWIED)  RC  NORTH/PRT 

KDZ  :  0  INJ/DAM 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 
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(EXPLOSIVE  HAZARD)  IED 
FOUND/CLEARED  RPT 
(CWIED)  RC  NORTH/PRT 

KDZ  :  0  INJ/DAM 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 

050 1/CG  5-P/A- 13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
EXPLOSION  RPT  (RCIED)  RC 
CAPITAL  :  0  INJ/DAM 

12.  Operational  Code 

Words 

SECRET 

CCR  380-14, 

050 1/CG5-P/A- 1 3/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
EXPLOSION  RPT  (RCIED)  RC 
CAPITAL  :  0  INJ/DAM 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
EXPLOSION  RPT  (LINK) 
CJSOTFA :  0  INJ/DAM 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

Page  13  of  19 


(EXPLOSIVE  HAZARD)  IED 
EXPLOSION  RPT(UNK) 
CJSOTFA  :  0  INJ/DAM 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CG5-P/A-13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
EXPLOSION  RPT  (UNK)  TF 
SPADER  :  1  CIV  KIA  1  CIV 

WIA 

12.  Operational  Code 

Words 

SECRET 

CCR  380-14, 
0501/CG5-P/A-13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
EXPLOSION  RPT  (UNK)  TF 
SPADER  :  1  CIV  KIA  1  CIV 

WIA 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CG5-P/A-13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
EXPLOSION  RPT  (VOIED) 

IVO  (ROUTE  HWY  1):  1  CIV 
KIA  2  CIV  WIA 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CG5-P/A-13/ 

CCR  380-14, 

0 1 10/CG  5-  P/A-  39/ 
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(EXPLOSIVE  HAZARD)  IED 
EXPLOSION  RPT  (VOIED) 

IVO  (ROUTE  HWY  1):  1  CIV 
KIA  2  CIV  WIA 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 

(EXPLOSIVE  HAZARD) 
UNKNOWN  EXPLOSION  RPT 
(UNK)  B  COY  1  PWRR  :  20 
CIV  KIA  6  CIV  WIA 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 

(EXPLOSIVE  HAZARD) 
UNKNOWN  EXPLOSION  RPT 
(UNK)  B  COY  1  PWRR  :  20 
CIV  KIA  6  CIV  WIA 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CCJS-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
EXPLOSION  RPT  (CWIED) :  2 
CF  WIA  1  UE  KIA  5  UE  DET 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 
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(EXPLOSIVE  HAZARD)  IED 
EXPLOSION  RPT  (CWIED) :  2 
CF  WIA  1  UE  KIA  5  UE  DET 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 

(EXPLOSIVE  HAZARD) 
UNKNOWN  EXPLOSION  RPT 
ANA  (1/1/205)  :0INJ/DAM 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CG5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 

(EXPLOSIVE  HAZARD) 
UNKNOWN  EXPLOSION  RPT 
ANA  (1/1/205) :  0  INJ/DAM 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
FOUND/CLEARED  RPT 
(VOIED)  POLBG/TF  WHITE 
EAGLE  :  0  INJ/DAM 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 
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(EXPLOSIVE  HAZARD)  IED 
FOUND/CLEARED  RPT 
(VOIED)  POL  BG/TF  WHITE 
EAGLE  :  0  INJ/DAM 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CG5-P/  A- 13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

(EXPLOSIVE  HAZARD)  MINE 
FOUND/CLEARED  RPT 
(VOIED)  TM  GHAZNI  :0 
INJ/DAM 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CG5-P/A-13/ 

CCR  380-14, 

01 10/CG  5-  P/A-39/ 

(EXPLOSIVE  HAZARD)  MINE 
FOUND/CLEARED  RPT 
(VOIED)  TM  GHAZNI  :0 
INJ/DAM 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CG5-P/A-13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
AMBUSH  RPT(UNK)  TF 
CURRAHEE  IVO  (ROUTE 
OHIO):  3  CF  WIA 

12.  Operational  Code 

Words 

SECRET 

CCR  380-14, 
0501/CG5-P/A-13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 
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(EXPLOSIVE  HAZARD)  IED 
AMBUSH  RPT(UNK)  TF 
CURRAHEEIVO  (ROUTE 
OHIO):  3CF  WIA 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

(FRIENDLY  ACTION)  CACHE 
FOUND/CLEARED  RPTTF 
URUZGAN  HQ  :  0  INJ/DAM 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

(FRIENDLY  ACTION)  CACHE 
FOUND/CLEARED  RPTTF 
URUZGAN  HQ  :0  INJ/DAM 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 

0501/ CG  5-  P/A- 13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
SUSPECTED  RPTTF 
HELMAND/W  CO,  45  CDO 
RM  :  0  INJ/DAM 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CG5-P/A-13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 
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(EXPLOSIVE  HAZARD)  IED 
SUSPECTED  RPT  TF 
HELMAND/W  CO,  45  CDO 
RM  :  0  INJ/DAM 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
EXPLOSION  RPT  (RCIED)  TF 
SPADER  (1-26  IN)  IVO 
(ROUTE  BEAVERTON):  3  CF 
KIA  1  CF  WIA  1  UE 

12.  Operational  Code 
Words 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CCJ5-P/A-39/ 

(EXPLOSIVE  HAZARD)  IED 
EXPLOSION  RPT  (RCIED)  TF 
SPADER  (1-26  IN)  IVO 
(ROUTE  BEAVERTON):  3  CF 
KIA  1CF  WIA  1  UE 

13.  Participating  units, 
including  types, 
vulnerabilities,  locations, 
quantities,  readiness 
status,  deployments, 
redeployments,  and 
details  of  movement  of 

US  friendly  forces. 

SECRET 

CCR  380-14, 
0501/CCJ5-P/A-13/ 

CCR  380-14, 
0110/CG5-P/A-39/ 
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Prosecution  Exhibit  88 
103  pages 
classified 
’’SECRET” 

ordered  sealed  for  Reason  2 
Military  Judge’s  Seal  Order 
dated  20  August  2013 
stored  in  the  classified 
supplement  to  the  original 
Record  of  Trial 


9 


Prosecution  Exhibit  89 
55  pages 
classified 
"SECRET" 

ordered  sealed  for  Reason  2 
Military  Judge's  Seal  Order 
dated  20  August  2013 
stored  in  the  classified 
supplement  to  the  original 
Record  of  Trial 
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Prosecution  Exhibit  90 
140  pages 
classified 
"SECRET” 

ordered  sealed  for  Reason  2 
Military  Judge’s  Seal  Order 
dated  20  August  2013 
stored  in  the  classified 
supplement  to  the  original 
Record  of  Trial 
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SUMMARY  of  CHANGE 


AR  25-2 

Information  Assurance 

This  rapid  action  revision,  dated  23  March  2009- - 

o  Clarifies  and  corrects  references  to  Department  of  Defense  Directive  8750.1 
and  Army  training  requirements  (para  4-3) . 

o  Removes  incorrect  course  reference  to  Information  Assurance  Manager  Course 
and  provides  correct  information  on  Certified  Information  Systems  Security 
Professional  modules  (para  4-3) . 

o  Removes  incorrect  information  regarding  Fort  Gordon  course  topics  (para  4-3)  . 

o  Removes  references  to  the  Asset  and  Vulnerability  Tracking  Resource 
compliance  reporting  database,  which  is  no  longer  used,  to  correctly 
reference  the  Army  Training  and  Certification  Tracking  System  (para  4-3)  . 

o  Deletes  incorrect  reference  to  Skillport  for  required  information  assurance 
training  (para  4-3)  . 

o  Changes  Department  of  Defense  Warning  Banner  verbiage  to  comply  with 
Department  of  Defense  directed  mandatory  guidance  (para  4-5) . 

o  Corrects  references  to  the  National  Information  Assurance  Partnership  (para 
6-1)  . 

o  Adds  mandatory  Department  of  Defense  Standardized  Notice  and  Consent  User 
Agreement  language  (app  B-3)  . 

o  Updates  office  symbols  and  acronyms  (throughout) . 
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Washington,  DC 
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By  Order  of  the  Secretary  of  the  Army: 

GEORGE  W.  CASEY,  JR. 

General,  United  States  Army 
Chief  of  Staff 


Official: 


Administrative  Assistant  to  the 
Secretary  of  the  Army 


History.  This  publication  is  a  rapid  action 
revision  (RAR).  This  RAR  is  effective  23 
April  2009.  The  portions  affected  by  this 
RAR  are  listed  in  the  summary  of  change. 
Summary.  This  regulation  provides  In¬ 
formation  Assurance  policy,  mandates, 
roles,  responsibilities,  and  procedures  for 
implementing  the  Army  Information  As¬ 
surance  Program,  consistent  with  today’s 
technological  advancements  for  achieving 
acceptable  levels  of  security  in  engineer¬ 
ing,  implementation,  operation,  and  main¬ 
tenance  for  information  systems 
connecting  to  or  crossing  any  U.S.  Army 
managed  network. 

Applicability.  This  regulation  applies  to 
the  Active  Army,  the  Army  National 
Guard/Army  National  Guard  of  the  United 
States,  and  the  U.S.  Army  Reserve,  unless 
otherwise  stated.  Also,  it  applies  to  all 
users,  information  systems,  and  networks 
at  all  information  classification  levels; 


program  executive  officers;  direct  report¬ 
ing  program  managers;  strategic,  tactical, 
and  non-tactical  environments  or  installa¬ 
tions;  internal  or  external  organizations, 
services,  tenants,  or  agencies  (for  exam¬ 
ple,  DOD,  sister  Services,  U.S.  Army 
Corps  of  Engineers  (USACE);  contractors 
working  on  Army  information  systems 
pursuant  to  Army  contracts;  Army  and 
Air  Force  Exchange  Service  (AAFES); 
morale,  welfare,  and  recreation  activities; 
educational  institutions  or  departments 
(for  example,  DOD  schools,  the  U.S.  Mil¬ 
itary  Academy  at  West  Point);  and  Army 
affiliated  or  sponsored  agencies  (for  ex¬ 
ample,  Western  Hemisphere  Institute  for 
Security  Cooperation).  During  mobiliza¬ 
tion,  the  proponent  may  modify  chapters 
and  policies  contained  in  this  regulation. 
Proponent  and  exception  authority. 
The  proponent  of  this  regulation  is  the 
Chief  Information  Officer/G-6.  The  pro¬ 
ponent  has  the  authority  to  approve  ex¬ 
ceptions  or  waivers  to  this  regulation  that 
are  consistent  with  controlling  law  and 
regulations.  The  proponent  may  delegate 
this  approval  authority,  in  writing,  to  a 
division  chief  within  the  proponent 
agency  or  its  direct  reporting  unit  or  field 
operating  agency,  in  the  grade  of  colonel 
or  the  civilian  equivalent.  Activities  may 
request  a  waiver  to  this  regulation  by  pro¬ 
viding  justification  that  includes  a  full 
analysis  of  the  expected  benefits  and  must 
include  a  formal  review  by  the  activity’s 
senior  legal  officer.  All  waiver  requests 
will  be  endorsed  by  the  commander  or 
senior  leader  of  the  requesting  activity 


and  forwarded  through  their  higher  head¬ 
quarters  to  the  policy  proponent.  Refer  to 
AR  25-30  for  specific  guidance. 

Army  management  control  process. 

This  regulation  contains  management  con¬ 
trol  provisions  and  identifies  key  manage¬ 
ment  controls  that  must  be  evaluated  (see 
appendix  C). 

Supplementation.  Supplementation  of 
this  regulation  and  establishment  of  com¬ 
mand  and  local  forms  are  prohibited  with¬ 
out  prior  approval  from  the  Chief 
Information  Officer,  G-6  (SA1S-ZA),  107 
Army  Pentagon,  Washington  DC 
20310-0107. 

Suggested  improvements.  Users  are 
invited  to  send  comments  and  suggested 
improvements  on  DA  Form  2028  (Recom¬ 
mended  Changes  to  Publications  and 
Blank  Forms)  directly  to  HQDA,  CIO/ 
G-6,  107  Army  Pentagon,  Washington 
DC  20310-0107. 

Distribution.  Distribution  of  this  publi¬ 
cation  is  available  in  electronic  media 
only  and  is  intended  for  command  levels 
B,  C,  D,  and  E  for  the  Active  Army,  the 
Army  National  Guard/Army  National 
Guard  of  the  United  States,  and  the  U.S. 
Army  Reserve. 
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Chapter  1 
Introduction 

1-1.  Purpose 

This  regulation  establishes  information  assurance  (IA)  policy,  roles,  and  responsibilities.  It  assigns  responsibilities  for 
all  Headquarters,  Department  of  the  Army  (HQDA)  staff,  commanders,  directors,  1A  personnel,  users,  and  developers 
for  achieving  acceptable  levels  of  1A  in  the  engineering,  implementation,  operation,  and  maintenance  (EIO&M)  for  all 
information  systems  (ISs)  across  the  U.S.  Army  Enterprise  Infostructure  (AE1). 

1-2.  References 

Required  and  related  publications  and  prescribed  and  referenced  forms  are  listed  in  appendix  A. 

1-3.  Explanation  of  abbreviations  and  terms 

Abbreviations  and  special  terms  used  in  this  regulation  are  explained  in  the  glossary. 

1-4.  Army  Information  Assurance  Program 

a.  The  Army  Information  Assurance  Program  (A1AP)  is  a  unified  approach  to  protect  unclassified,  sensitive,  or 
classified  information  stored,  processed,  accessed,  or  transmitted  by  ISs,  and  is  established  to  consolidate  and  focus 
Army  efforts  in  securing  that  information,  including  its  associated  systems  and  resources,  to  increase  the  level  of  trust 
of  this  information  and  the  originating  source.  The  AIAP  will  secure  ISs  through  1A  requirements,  and  does  not  extend 
access  privileges  to  special  access  programs  (SAPs),  classified,  or  compartmentalized  data;  neither  does  it  circumvent 
need-to-know  requirements  of  the  data  or  information  transmitted. 

b.  The  AIAP  is  designed  to  achieve  the  most  effective  and  economical  policy  possible  for  all  ISs  using  the  risk 
management  approach  for  implementing  security  safeguards.  To  attain  an  acceptable  level  of  risk,  a  combination  of 
staff  and  field  actions  is  necessary  to  develop  local  policy  and  guidance,  identify  threats,  problems  and  requirements, 
and  adequately  plan  for  the  required  resources. 

c.  Information  systems  exhibit  inherent  security  vulnerabilities.  Cost-effective,  timely,  and  proactive  IA  measures 
and  corrective  actions  will  be  established  and  implemented  to  mitigate  risks  before  exploitation  and  to  protect  against 
vulnerabilities  and  threats  once  they  have  been  identified. 

(1)  Measures  taken  to  attain  I A  objectives  will  be  commensurate  with  the  importance  of  the  operations  to  mission 
accomplishment,  the  sensitivity  or  criticality  of  the  information  being  processed,  and  the  relative  risks  (the  combination 
of  threats,  vulnerabilities,  countermeasures,  and  mission  impact)  to  the  system.  Implementation  of  an  IA  operational 
baseline  will  be  an  incremental  process  of  protecting  critical  assets  or  data  first,  and  then  building  upon  those  levels  of 
protection  and  trust  across  the  enclave. 

(2)  Statements  of  security  requirements  will  be  included  in  the  earliest  phases  (for  example,  mission  needs  state¬ 
ments,  operational  requirements  document,  capstone  requirement  document)  of  the  system  acquisition,  contracting,  and 
development  life  cycles. 

d.  An  operationally  focused  IA  program  requires  the  implementation  of  innovative  approaches.  Through  the  use  of 
IA  best  business  practices  (BBPs)  the  best  ideas,  concepts,  and  methodologies  acquired  from  industry  and  Army 
resources  will  be  used  to  define  specific  standards,  measures,  practices,  or  procedures  necessary  to  meet  rapidly 
changing  technology  or  IA  requirements  in  support  of  Army  policy  requirements.  IA  BBPs  allow  rapid  transitional 
implementation  of  IA  initiatives  to  integrate,  use,  improve,  or  modify  technological  or  procedural  changes  as  required 
by  policy.  BBPs  are  located  at  https://informationassurance.us.army.mil. 

e.  The  elements  of  the  Defense  in  Depth  (DiD)  strategy  focus  on  three  areas:  people,  operations,  and  defense  of  the 
environment  (the  latter  of  which  encompasses  the  computing  environment,  the  networks,  the  enclave  boundaries,  and 
the  supporting  infrastructure). 

f.  The  AIAP  is  not  a  stand-alone  program,  but  incorporates  related  functions  from  other  standards  or  policies  such 
as;  operations  security  (OPSEC),  communications  security  (COMSEC),  transmission  security  (TRANSEC),  information 
security  (INFOSEC),  personnel  security,  and  physical  security  to  achieve  IA  requirements. 

g.  Failure  to  implement  proactive  or  corrective  IA  security  measures,  guidance,  policy,  or  procedures  may  prevent 
system  or  enclave  accreditation,  installation,  or  operation  and  may  increase  system  vulnerability  to  foreign  and 
domestic  computer  network  operation  (CNO)  activities  designed  to  deny  service,  compromise  information,  or  permit 
unauthorized  access  to  sensitive  information.  IA  or  network  personnel  may  block  access  to  ISs  that  reflect  poor  IA 
security  practices  or  fail  to  implement  corrective  measures. 

1-5.  Overview 

a.  The  AIAP  applies  to  ISs  including,  but  not  limited  to,  computers,  processors,  devices,  or  environments  (operating 
in  a  prototype,  test  bed,  stand-alone,  integrated,  embedded,  or  networked  configuration)  that  store,  process,  access,  or 
transmit  data,  including  unclassified,  sensitive  (formerly  known  as  sensitive  but  unclassified  (SBU)),  and  classified 
data,  with  or  without  handling  codes  and  caveats.  ISs  used  for  teleworking,  telecommuting,  or  similar  initiatives; 
contractor  owned  or  operated  ISs;  ISs  obtained  with  non-appropriated  funds;  automated  tactical  systems  (ATSs); 
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automated  weapons  systems  (AWSs);  distributed  computing  environments  (DCEs);  and  systems  processing  intelligence 
information  are  required  to  adhere  to  the  provisions  of  this  regulation. 

b.  Commanders  of  activities  requiring  limited  access  by  any  local  foreign  national  (FN)  officials  or  personnel 
(including  information  technology  (IT)  positions)  will  follow  the  provisions  of  this  regulation. 

c.  This  regulation  applies  equally  to  the  operation,  safeguarding,  and  integrity  of  the  infrastructures  (for  example, 
power,  water,  air  conditioning),  including  the  environment  in  which  the  IS  operates. 

d.  While  no  regulation  or  policy  on  security  measures  can  ever  provide  a  100  percent  solution,  implementation  of 
the  concepts,  procedures,  and  recommendations  in  this  regulation  will  drastically  reduce  the  manageability  require¬ 
ments  of  assets,  and  minimize  the  effects  of  unauthorized  access  or  loss.  The  cornerstone  philosophy  of  IA  is  to  design, 
implement,  and  secure  access,  data,  ISs,  and  data  repositories;  increase  trust  and  trusted  relationships;  employ  technical 
and  operational  security  mechanisms;  deny  all  unauthorized  accesses;  and  permit  necessary  exceptions  to  support 
Army,  DOD,  and  Joint  interagency  and  multinational  (JIM)  tactical  and  sustaining-base  operations. 

e.  Army  information  constitutes  an  asset  vital  to  the  effective  performance  of  our  national  security  roles.  While  all 
communication  systems  are  vulnerable  to  some  degree,  the  ready  availability  of  low-cost  IT,  freely  distributed  attack 
tools,  increased  system  connectivity  and  asset  distribution,  and  attack-standoff  capabilities  make  computer  network 
attacks  (CNAs)  an  attractive  option  to  our  adversaries.  Information  Assurance  capabilities  and  actions  protect  and 
defend  network  availability,  protect  data  integrity,  and  provide  the  ability  to  implement  effective  computer  network 
defense  (CND).  Management  of  Army  information  is  imperative  so  that  its  confidentiality,  integrity,  availability,  and 
non-repudiation  can  be  ensured,  and  that  users  of  that  data  can  be  properly  identified  and  authenticated. 

f.  The  AEI  architecture  requires  the  establishment,  verification,  and  maintenance  of  trusted  enclaves,  trusted  connec¬ 
tivity,  and  trusted  information  and  information  sources  along  with  the  capability  to  access  and  distribute  that  informa¬ 
tion  by  leveraging  technology  and  capabilities  to  amplify  that  trust. 

g.  To  accomplish  these  foundational  objectives,  this  regulation  establishes  requirements  as  follows: 

(1)  Provides  administrative  and  systems  security  requirements,  including  those  for  interconnected  systems. 

(2)  Defines  and  mandates  the  use  of  risk  assessments. 

(3)  Defines  and  mandates  the  DiD  strategy. 

(4)  Promotes  the  use  of  efficient  procedures  and  cost-effective,  computer-based  security  features  and  assurances. 

(5)  Describes  the  roles  and  responsibilities  of  the  individuals  who  constitute  the  IA  security  community  and  its 
system  users,  and  outlines  training  and  certification  requirements. 

(6)  Requires  a  life  cycle  management  approach  to  implementing  IA  requirements. 

(7)  Introduces  the  concepts  of  mission  assurance  category,  levels  of  confidentiality,  and  levels  of  robustness  of 
information. 

(8)  Implements  DODD  8500.1,  DODI  8500.2,  and  Chairman  of  the  Joint  Chiefs  of  Staff  Manual  (CJCSM)  6510.01 
to  align  IA  goals  and  requirements  to  support  the  DOD  Information  Management  Strategic  Plan. 

(9)  Mandates  procedures  to  document  the  status  of  accreditations  for  all  ISs  fielded  by  DOD  organizations.  Army 
chartered  program  managers  (PMs),  and  HQDA  staff  proponents. 

(10)  Mandates  that  DOD  and  Army-level  designated  approving  authorities  (DAAs)  meet  the  system  accreditation 
requirements  of  this  regulation  before  fielding  or  testing  any  system  that  requires  connection  to  an  Army  network. 

(11)  Requires  the  implementation  of  a  configuration  management  (CM)  process. 

(12)  Describes  the  Continuity  of  Operations  Plan  (COOP). 

(13)  Provides  the  foundation  for  the  Networthiness  Certification  Program  in  AR  25-1. 

h.  Other  policies,  procedures,  or  directives  also  govern  certain  systems.  In  the  event  of  conflicts  among  these 
policies,  procedures,  or  directives,  the  more  stringent  requirement  will  take  precedence.  When  the  most  stringent  policy 
cannot  be  determined,  the  affected  Army  component  will  submit  a  request  for  a  policy  decision  through  their 
supporting  regional  chief  information  officers/functional  chief  information  officers  (RCIOs/FCIOs)  to  the  Chief  Infor¬ 
mation  Officer/G-6  (CIO/G-6). 

/.  The  mention  of  commercial  products  in  this  regulation  does  not  imply  endorsement  by  either  DOD  or  the  Army. 

j.  Military  and  civilian  personnel  may  be  subject  to  administrative  and/or  judicial  sanctions  if  they  knowingly, 
willfully,  or  negligently  compromise,  damage,  or  place  Army  information  systems  at  risk  by  not  ensuring  implementa¬ 
tion  of  DOD  and  Army  policies  and  procedures.  Violations  are  identified  in  bolded  text  included  in  the  following 
paragraphs  3-3,  4-5,  4-6,  4-12,  4-13,  4-16,  4-20,  and  6-5. 

k.  These  provisions  may  be  punished  as  violations  as  follows: 

( 1 )  Sanctions  for  civilian  personnel  may  include,  but  are  not  limited  to,  some  or  all  of  the  following  administrative 
actions:  oral  or  written  warning  or  reprimand;  adverse  performance  evaluation;  suspension  with  or  without  pay;  loss  or 
suspension  of  access  to  IS  or  networks,  and  classified  material  and  programs;  any  other  administrative  sanctions 
authorized  by  contract  or  agreement;  and/or  dismissal  from  employment.  Sanctions  for  civilians  may  also  include 
prosecution  in  U.S.  District  Court  or  other  courts  and  any  sentences  awarded  pursuant  to  such  prosecution.  Sanctions 
may  be  awarded  only  by  civilian  managers  or  military  officials  who  have  authority  to  impose  the  specific  sanction(s) 
proposed. 
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(2)  Sanctions  for  military  personnel  may  include,  but  are  not  limited  to,  some  of  the  following  administrative 
actions:  oral  or  written  warning  or  reprimand;  adverse  performance  evaluation;  and  loss  or  suspension  of  access  to  IS 
or  networks  and  classified  material  and  programs.  Sanctions  for  military  personnel  may  also  include  any  administrative 
measures  authorized  by  service  directives  and  any  administrative  measures  or  non-judicial  or  judicial  punishments 
authorized  by  the  Uniform  Code  of  Military  Justice  (UCMJ). 

(3)  Defense  contractors  are  responsible  for  ensuring  employees  perform  under  the  terms  of  the  contract  and 
applicable  directives,  laws,  and  regulations  and  must  maintain  employee  discipline.  The  contracting  officer,  or 
designee,  is  the  liaison  with  the  defense  contractor  for  directing  or  controlling  contractor  performance.  Outside  the 
assertion  of  criminal  jurisdiction  for  misconduct,  the  contractor  is  responsible  for  disciplining  contractor  personnel. 
Only  the  Department  of  Justice  may  prosecute  misconduct  under  applicable  Federal  laws,  absent  a  formal  declaration 
of  war  by  Congress  (which  would  subject  civilians  accompanying  the  force  to  UCMJ  jurisdiction).  For  additional 
information  on  contractor  personnel  authorized  to  accompany  U.S.  Armed  Forces,  see  DODI  3020.41. 


Chapter  2 
Responsibilities 

2-1.  Chief  Information  Officer/G-6 

The  CIO/G-6  will— 

a.  Establish  and  issue  IA  policy  and  procedures  and  serve  as  the  focal  point  for  1A  programs  and  funding. 

b.  Develop,  review,  and  coordinate  DA  input  into  DOD  1A  policy  documents. 

c.  Establish  and  maintain  Army  standardized  evaluations  and  test  methodology  certification  procedures  and  security 
requirements  as  part  of  the  accreditation  process. 

d.  Document,  develop,  coordinate,  present,  prioritize,  and  defend  1A  resource  requirements  in  the  planning,  pro¬ 
gramming,  and  budgeting  process. 

e.  Coordinate  with  the  Deputy  Chief  of  Staff,  G-2  (DCS,  G-2)  for  the  policy,  development,  dissemination,  support, 
tactics,  techniques,  and  procedures  for  the  design,  implementation,  and  operation  of  the  key  management  infrastructure 
(KMI)  and  systems  to  support  Army  encryption  requirements. 

f.  Provide  program  oversight  for  Army  implementation  of  the  KMI  and  funding  aspects  of  the  Electronic  Key 
Management  System  (EKMS). 

g.  Prepare  the  annual  IA  readiness  report. 

h.  Provide  technical  and  operational  assistance  and  support  to  the  U.S.  Army  Audit  Agency  (USAAA)  in  its  audits 
and  reviews  of  ISs. 

i.  Evaluate  technological  trends  in  IA  and  establish  a  methodology  to  integrate  advancements. 

j.  Provide  IA  guidance  to  Army  elements  in  identifying  and  incorporating  requirements  consistent  with  the  KMI 
requirements  in  project  development. 

k.  Act  as  the  certification  and  accreditation  (C&A)  designated  approving  authority  (DAA)  for  ISs  with  the  excep¬ 
tions  found  in  paragraph  5-8 m. 

l.  Provide  a  point  of  contact  (POC)  with  the  Defense  Information  Systems  Agency/Center  for  Information  Systems 
Security  (DISA/CISS)  for  advice  and  assistance  and  implementation  of  certification  tests  and  programs  for  Army 
operated  ISs. 

m.  Serve  as  the  Army  member  of  the  Committee  on  National  Security  Systems  (CNSS)  and  the  Subcommittees  for 
Telecommunications  Security  (STS)  and  Information  Systems  Security  (SISS). 

n.  Provide  an  Army  voting  member  to  the  Key  Management  Executive  Committee  (KMEC)  and  Joint  Key 
Management  Infrastructure  Working  Group  (JKMIWG). 

o.  Provide  policy,  guidance,  and  oversight  on  the  employment  of  National  Institute  of  Standards  and  Technology 
(NIST)  approved  cryptography  for  the  protection  of  unclassified  and  sensitive  information. 

p.  Appoint  the  chairperson  and  alternate  chairperson  for  the  Tier  1  System  Management  Board  (TSMB),  which  has 
operations  management  responsibilities  for  the  Tri-Service  EKMS  Common  Tier  1  System  (CT1S). 

q.  Participate  with  the  DCS,  G-2;  U.S.  Army  Intelligence  and  Security  Command  (INSCOM);  Network  Enterprise 
Technology  Command/9th  Signal  Command  (Army)  (NETCOM/9th  SC  (A);  Ist  Information  Operations  (LAND) 
Command  (1st  10  CMD  (LAND));  and  the  U.S.  Army  Criminal  Investigation  Command  (C1D)  in  analyses  and  studies 
concerning  foreign  intelligence  threats,  criminal  intelligence,  or  operational  vulnerabilities  against  which  IA  counter¬ 
measures  will  be  directed. 

r.  Appoint,  formally,  by  name  and  organization  the  DAA  for  ISs  that  process  Army  data,  upon  request,  through 
formal  signed  memo  or  digitally  signed  e-mail.  This  appointment  will  be  consistent  with  paragraph  5-8g  through  k. 

s.  Ensure  the  concepts  of,  and  strategies  within,  this  regulation  are  utilized  as  the  basis  for  networthiness  certifica¬ 
tion  per  AR  25-1. 
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t.  Provide  technical  and  operational  assistance  and  support  to  the  Army  Web  Risk  Assessment  Cell  (AWRAC). 

u.  Provide  program  oversight  of  Communications  Security  Logistics  Activity  (CSLA)  for  an  Army  cryptographic 
applications  certification  process  (when  developed). 

v.  Appoint  the  Director,  Office  of  Information  Assurance  and  Compliance  (OlA&C),  NETCOM/9th  SC  (A),  as  the 
Army  senior  information  security  officer  under  the  provisions  of  the  Federal  Information  Systems  Management  Act 
(FISMA). 

w.  Coordinate  with  the  DCS,  G-2  on  C&A  issues  of  sensitive  compartmented  information  (SCI)  systems  and 
INSCOM/G-6  for  S1GINT  systems,  as  applicable. 

x.  See  additional  responsibilities  at  paragraph  2-2,  below. 

2-2.  Principal  Headquarters,  Department  of  the  Army  officials  and  staff 

Principal  HQDA  officials  and  staff  will— 

a.  Implement  IA  requirements  within  their  respective  functional  areas. 

b.  Develop,  coordinate,  supervise,  execute,  and  allocate  the  research,  development,  test,  and  evaluation  (RDT&E) 
procurement  resources  in  support  of  IA  program  requirements  as  required  in  their  functional  area. 

c.  Participate  collectively  with  other  IA  stakeholders  in  the  enterprise  planning,  acquisition,  and  operation  of  IA 
strategies. 

d.  Integrate  approved  IA  tools,  doctrine,  procedures,  and  techniques  into  all  ISs  under  their  purview. 

e.  Establish  internal  procedures  for  reporting  security  incidents  or  violations  and  report  incidents  and  events  to  the 
servicing  regional  computer  emergency  response  teams  (RCERTs)  in  accordance  with  Section  VIII,  Incident  and 
Intrusion  Reporting,  consistent  with  paragraphs  4-21  and  4-22,  below. 

/  Support  the  Army’s  Information  Assurance  Vulnerability  Management  (IAVM)  Program  notification  and  correc¬ 
tion  processes.  IAVM  notification  and  correction  are  DOD  and  Army  operational  requirements. 

g.  Develop  and  implement  local  acceptable  use  policy  (AUP)  for  all  users  authorized  access  to  HQDA  ISs  (app  B 
presents  a  sample  AUP). 

h.  Ensure  all  systems,  for  which  the  principal  HQDA  Army  office  is  the  system  owner  (SO)  are  accredited,  annually 
revalidated,  and  re-accredited  in  accordance  with  the  interim  DOD  Information  Assurance  Certification  and  Accredita¬ 
tion  Process  (DIACAP). 

i.  Ensure  the  C&A  package  is  submitted  to  the  Army  certification  authority  (CA)  in  sufficient  time  for  a  review  and 
operational  IA  risk  recommendation  in  support  of  DAA  authorization  decision  prior  to  operations  or  tests  on  a  live 
network  or  with  live  Army  data. 

j.  Request  appointment  as  the  DAA  for  information  systems,  as  appropriate,  from  the  CIO/G-6  through  the  OIA&C 
consistent  with  paragraph  5-8. 

k.  Appoint  appropriate  IA  personnel  per  chapter  3  of  this  regulation  and  provide  CIO/G-6  a  copy  of  the  appointment 
orders. 

l.  Identify  personnel  and  procedures  at  all  organizational  and  subordinate  levels,  as  required,  to  implement  a 
Configuration  Management  Board  (CMB)  or  Configuration  Control  Board  (CCB)  to  effect  control  and  management 
mechanisms  on  all  ISs,  devices,  configurations,  and  IA  implementations.  Include  IA  personnel  as  members  of  the 
board. 

m.  Incorporate  related  OPSEC,  COMSEC,  and  INFOSEC  policies  and  requirements  into  a  comprehensive  IA 
management  program. 

2-3.  Administrative  Assistant  to  the  Secretary  of  the  Army 

The  AASA  will — 

a.  Serve  as  the  commander  for  Pentagon  Information  Technology  Services  (ITS). 

b.  Request  appointment,  from  the  CIO/G-6  through  the  OIA&C,  as  the  DAA  for  the  Pentagon  ITS  and  IS  connected 
to  the  Pentagon  Common  Information  Technology  (CIT)  Enterprise,  associated  swing  space,  and  alternate  COOP  sites 
through  the  national  capital  region  (NCR). 

c.  Appoint,  once  authorized,  General  Officer  (GO),  Senior  Executive  Service  (SES)  or  equivalent  within  AASA 
purview  as  DAAs,  when  they  are  the  SOs  or  have  life  cycle  responsibility  for  the  IS,  as  appropriate.  Provide  a  copy  of 
the  appointments  to  the  OIA&C  through  iacora@us.army.mil. 

d.  Coordinate  connectivity  requirements  to  the  Department  of  Defense  Intelligence  Information  System  (DODIIS)  IT 
SCI  enterprise  backbone  within  the  Pentagon  CIT  enterprise. 

e.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-4.  Assistant  Secretary  of  the  Army  for  Acquisition,  Logistics,  and  Technology 

The  ASA  (ALT)  will— 

a.  Forward  to  National  Security  Agency  (NSA)  and  HQDA  approved  materiel  requirements  for  IA  tools  and 
equipment  (including  cryptographic  equipment),  along  with  requests  for  RDT&E  efforts  to  fulfill  those  needs. 
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b.  Designate  an  Army  materiel  developer  to  conduct  and  update  threat  analyses  as  outlined  by  AR  381-11. 

c.  Monitor  NSA,  other  Service  COMSEC,  and  IA  RDT&E  projects  that  are  of  interest  to  the  Army.  Designate  Army 
program  managers  as  defined  in  AR  70-1  for  each  project  having  potential  application  for  Army  use.  Require  the 
designated  manages  to  maintain  a  liaison  between  the  developing  agency  and  interested  Army  agencies  of  the  progress 
of  such  projects. 

d.  Establish  coordination  with  NSA  concurrent  life  cycle  management  milestones  for  development  of  cryptographic 
equipment  in  support  of  IA  initiatives. 

e.  Conduct  research  and  acquire  basic  knowledge  of  the  techniques  and  the  circuitry  required  to  provide  an  effective 
CND  capability  in  appropriate  types  of  Army  equipment. 

/  Ensure  application  of  capabilities  to  perform  IS  risk  analysis,  reduction,  and  management. 

g.  Ensure  that  Army  program  executive  officers  (PEOs)  and  direct  reporting  PMs  include  IA  in  all  systems 
development  activities. 

h.  Ensure  Army  PEOs  and  direct-reporting  PMs  obtain  C&A  approval  to  operate  prior  to  system  operations  on  the 
Army  network  or  with  Army  data. 

/'.  See  additional  responsibilities  at  paragraph  2-2. 

2-5.  The  Deputy  Chief  of  Staff,  G-2 

The  DCS,  G-2  wili¬ 
er.  Coordinate  the  development  and  dissemination  of  DOD,  national,  theater,  and  DA-level  IA  threat  information  to 
the  Army. 

b.  Coordinate  with  the  ClO/G-6  for  the  policy,  development,  dissemination,  support,  tactics,  techniques,  and 
procedures  for  the  design,  implementation,  and  operation  of  the  K.MI  and  systems  to  support  Army  encryption 
requirements. 

c.  Develop  policy  and  approve  procedures  for  safeguarding  and  controlling  COMSEC  and  controlled  cryptographic 
item  (CCI)  material. 

d.  Ensure  all  intelligence  systems,  for  which  the  DCS,  G-2  is  the  Army  proponent  or  sponsor,  are  accredited  or  re- 
accredited  in  accordance  with  Director,  Central  Intelligence  Agency  Directive  (DCID)  6/3. 

e.  Ensure  that  the  DODIIS  Program  is  implemented  and  guidance  is  published. 

f  Serve  as  the  approval  authority  for  external  IS  penetration  and  exploitation  testing  of  operational  networks. 

g.  Participate  with  the  CIO/G-6,  INSCOM,  NETCOM/9th  SC  (A),  lstIO  CMD  (LAND),  and  CID  in  analyses  and 
studies  concerning  foreign  intelligence  threats,  criminal  intelligence,  or  operational  vulnerabilities  against  which  IA 
countermeasures  will  be  directed. 

h.  Act  as  the  Service  Certifying  Organization  and  DAA  for  DODIIS  processing  SCI  on  the  Joint  World  Wide 
Intelligence  System  (JWWICS). 

i.  Act  as  the  CA  for  SCI  systems  processing  information  at  Protection  Level  (PL)  4. 

j.  Act  as  the  DAA  for  SCI  systems  processing  information  up  to  PL  3. 

k.  See  additional  responsibilities  at  paragraph  2-2. 

2-6.  The  Deputy  Chief  of  Staff,  G-3/5/7 

The  DCS,  G-3/5/7  wili¬ 
er.  Support  the  CIO/G-6  in  the  accomplishment  of  IA  responsibilities. 

b.  Ensure  IA  training  is  integrated  and  conducted  throughout  the  Army. 

c.  Support  audits  and  reviews  of  ISs  and  networks  through  operational  and  technical  assistance,  as  required. 

d.  Provide  guidance,  requirements,  and  oversight  for  information  operations  condition  (INFOCON)  alerting  and 
implementation  measures. 

e.  Provide  guidance,  requirements,  and  oversight  for  OPSEC  measures  to  support  an  IA  management  policy. 

f.  See  additional  responsibilities  at  paragraph  2-2. 

2-7.  The  Deputy  Chief  of  Staff,  G-4 

The  DCS,  G-4  wili¬ 
er.  Develop,  as  the  Army  independent  logistician,  logistics  policies  (including  integrated  logistics  support  policy), 
concepts,  procedures,  and  guidance  for  logistics  support  of  IA  equipment  used  in  support  of  all  Army  missions. 

b.  Prescribe  execution  of  NSA  or  DOD  logistics  management  directives  that  apply  to  classified  COMSEC  and  CCI 
materiel. 

c.  Prescribe  and  supervise  the  implementation  of  procedures  for  property  control  and  the  accounting  of  CCI  materiel 
during  distribution,  storage,  maintenance,  use,  and  disposal.  All  guidance  will  conform  to  the  security  standards 
developed  by  the  DCS,  G-2  for  safeguarding  COMSEC  and  CCI  materiel. 

d.  Supervise  logistics  support  planning  to  ensure  the  availability  of  materials  and  publications  needed  for  repair,  test 
measurement,  and  diagnosis  of  IA  equipment  and  systems. 
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e.  Provide  continuous  logistical  support  for  fielded  IA  material  and  test  equipment. 

/  See  additional  responsibilities  at  paragraph  2-2. 

2-8.  Commanders  of  Army  Commands;  Army  Service  Component  Commands;  Direct  Reporting 
Units;  U.S.  Army  Reserve;  Army  National  Guard;  program  executive  officers;  direct  reporting  program 
managers;  Regional  Chief  Information  Officers;  Functional  Chief  Information  Officers;  and  the 
Administrative  Assistant  to  the  Secretary  of  the  Army 

Commanders  of  ACOMs;  ASCCs;  DRUs;  U.S.  Army  Reserve;  ARNG;  Chief,  CAR  ;  PEOs;  direct  reporting  PMs; 
RClOs/FCIOs;  and  the  AASA  are  responsible  for  ensuring  that  their  units,  activities,  or  installations  will — 

a.  Develop  and  implement  an  IA  program  with  the  hardware,  software,  tools,  personnel,  and  infrastructure  necessary 
to  fill  the  IA  positions  and  execute  the  duties  and  responsibilities  outlined  in  this  regulation. 

b.  Oversee  the  maintenance,  documentation,  and  updating  of  the  C&A  requirements  required  for  the  operation  of  all 
ISs  as  directed  in  this  regulation. 

c.  Implement  and  manage  IT  system  configurations,  including  performing  IAVM  processes  as  directed  by  this 
regulation. 

d.  Appoint  IA  and  other  personnel  (for  example,  alternates)  to  perform  the  duties  in  chapter  3  of  this  regulation  and 
provide  information  assurance  program  manager  (IAPM)  and/or  POC  information  to  the  RCIOs,  supporting  RCERTs/ 
Theater  Network  Operations  and  Security  Centers  (TNOSCs),  and  the  Army  Computer  Emergency  Response  Team 
(ACERT).  The  ACOMs/ASCCs  lAPMs  will  also  provide  reports  to  the  RCIO  of  the  region  in  which  the  headquarters 
is  physically  located. 

e.  Appoint  DAAs  only  as  authorized  in  section  II  and  paragraph  5-8. 

f  Establish  an  oversight  mechanism  to  validate  the  consistent  implementation  of  IA  security  policy  across  their 
areas  of  responsibility. 

g.  Ensure  annual  security  education,  training,  and  awareness  programs  are  developed  and  conducted  that  addresses, 
at  a  minimum,  physical  security,  acceptable  use  policies,  malicious  content  and  logic,  and  non-standard  threats  such  as 
social  engineering. 

h.  Oversee  the  implementation  of  IA  capabilities. 

i.  Incorporate  IA  and  security  as  an  element  of  the  system  life  cycle  process. 

j.  Develop  and  implement  an  acceptable  use  policy  for  privately  owned  equipment  (for  example,  cell  phones, 
personal  digital  assistants  (PDAs),  wireless  devices,  and  removable  media)  and  ISs  prohibited  during  training  exercises, 
deployments,  and  tactical  operations.  Incorporate,  as  a  minimum,  the  prohibition  of  utilizing  such  devices  or  the 
limitations  of  acceptable  use,  as  well  as  the  threat  of  operational  exposure  represented  by  these  devices  in  garrison,  pre¬ 
deployment  staging,  tactical,  and  operational  areas. 

k.  Develop  procedures  for  immediate  notification  and  recall  of  IA  personnel  as  assigned. 

l.  Adhere  to  and  implement  the  procedures  of  the  networthiness  certification  process  per  AR  25-1. 

m.  Program,  execute,  and  report  management  decision  packages  (MDEPs)  MS4X  and  MX5T  resource  requirements. 

n.  See  additional  responsibilities  at  paragraph  2-2. 

2-9.  Commander,  1st  Information  Operations  Command 

The  Commander,  lsl  10  CMD  (LAND)  will— 

a.  Exercise  command  and  control  of  the  ACERT  and  all  of  its  components  (including  RCERTs). 

b.  Establish  tactics,  techniques,  and  procedures  (TTPs)  for  the  ACERT,  RCERTs,  and  Local  Computer  Emergency 
Response  Teams  (LCERTs)  (if  established)  as  required. 

c.  Integrate,  in  conjunction  with  NETC0M/9th  SC  (A),  computer  emergency  response,  IA,  and  CND  service 
provider  activities  into  network  operations  (NETOPS),  network  management,  and  information  dissemination. 

d.  Integrate,  in  coordination  with  the  DCS,  G-3/5/7,  CND,  OPSEC,  and  INFOCON  activities  into  information 
operations  (10). 

e.  Support  the  Army  CND  service  provider  as  the  focal  point  for  security  incidents  and  violations. 

/  Develop  and  publish  incident  response  guidelines,  checklists,  and  procedures  in  coordination  with  law  enforce¬ 
ment  (LE)  and  counterintelligence  (Cl)  agencies. 

g.  Provide  status  reports  per  directives  on  unusual  activities  occurring  on  Army  networks  worldwide. 

h.  Support  the  IA  security  tool  repository  and  provide  recommendations  for  including  new  tools. 

Provide  tools,  methodologies,  procedures,  and  oversight  for  the  vulnerability  assessment  program  and  perform 
vulnerability  assessments  through  approved  programs. 

j.  Develop  and  maintain  an  Army  CND  vulnerability  database  for  trend  analysis. 

k.  Support  and  maintain  Army  IAVM  message  staffing,  notification,  distribution,  and  resolution. 

/.  Develop  TTPs  for  a  threat  warning  and  notification  process. 

m.  Develop  procedures  to  issue  CND  lessons  learned  identified  from  incidents,  intrusions,  analyses,  or  other 
technical  processes. 


ManningB_0001 6241 


AR  25-2  •  24  October  2007 


© 


o 


n.  Maintain  Army  computer  network  situational  intelligence  awareness,  including  network  threat  analysis  and 
Internet  network  intelligence. 

o.  Participate  with  the  ClO/G-6,  DCS,  G-2,  INSCOM,  NETCOM/9th  SC  (A),  and  CID  in  analyses  and  studies 
concerning  foreign  intelligence  threats,  criminal  intelligence,  or  operational  vulnerabilities  against  which  IA  counter¬ 
measures  will  be  directed. 

p.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-10.  Commanding  General,  Network  Enterprise  Technology  Command/9th  Signal  Command  (Army) 

The  CG,  NETCOM/9 th  SC  (A)  will— 

a.  Request  appointment  from  the  CIO/G-6  as  the  DAA  for  the  Army  enterprise. 

b.  Appoint,  once  authorized,  the  Director,  Enterprise  Systems  Technology  Activity  (ESTA)  as  the  DAA  for  the 
Army  enterprise. 

c.  Operate,  manage,  monitor,  administer,  and  defend  the  Army  portion  of  the  global  information  grid. 

d.  Perform  configuration  and  patch  management  for  all  Army  network  components  and  systems. 

e.  Execute  Computer  Network  Defense  Service  Provider  (CNDSP)  and  NETOPS  missions  and  functions. 

/  Review,  coordinate,  evaluate,  and  approve  proposed  policies,  procedures,  directives,  standards,  doctrinal  publica¬ 
tions,  plans,  materiel  requirement  documents,  life  cycle  management  documents,  basis-of-issue  plans,  and  system 
certification  and  accreditation  documents  for  all  systems  fielded,  or  planned  to  be  fielded,  to  Army  installations  as  well 
as  similar  documents  that  have  implications  for  adherence  to  policy. 

g.  Establish  TTPs  to  integrate  IA/CND  service  provider  activities  with  system  and  network  management  and 
information  dissemination. 

h.  Provide  timely  flows  of  NETOPS  data  to  maintain  an  analysis  view  at  all  levels. 

i.  Ensure  an  operational  assessment  of  IA  products  is  conducted  before  incorporation  into  systems  under  NETCOM/ 
9th  SC  (A)  management. 

j.  Maintain  a  repository  of  the  status  and  availability  of  Army  critical  systems  and  networks. 

k.  Manage  the  DiD  security  architecture  environment,  strategies,  connections,  and  configurations  against  un¬ 
authorized  access,  manipulation,  or  destruction. 

/.  Manage  the  AEI  Technical  CCB  responsible  for  the  Army  security  architecture.  Establish  baseline  configuration 
management  guidelines  and  technical  and  operational  TTPs;  and  review,  approve,  prioritize,  and  manage  change  to  the 
AEI. 

m.  Conduct  quarterly  vulnerability  assessments  of  top  level  architecture  (TLA)  critical  assets,  devices,  servers,  and 
IA  implemented  devices. 

n.  Participate  with  the  CIO/G-6,  DCS,  G-2,  INSCOM,  1st  10  CMD  (LAND),  and  CID  in  analyses  and  studies 
concerning  foreign  intelligence  threats,  criminal  intelligence,  or  operational  vulnerabilities  against  which  IA  counter¬ 
measures  will  be  directed. 

o.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-11.  Commanding  General,  U.S.  Army  Training  and  Doctrine  Command 

The  CG,  TRADOC  will— 

a.  Integrate  approved  IA  tools,  doctrine,  procedures,  legalities,  and  techniques  into  applicable  programs  of  instruc¬ 
tion  for  TRADOC  schools. 

b.  Develop  timely  Armywide  IA  training  literature  and  training  aids,  leveraging  secure  electronic  distribution  and 
remote  access  capabilities. 

c.  Develop,  test,  and  recommend  operational  and  organizational  concepts  and  doctrine  to  achieve  IA  goals. 

d.  Develop  and  provide  IA  requirements  to  the  materiel  developers  and  ensure  compliance  with  AR  381-1 1  and  this 
regulation. 

e.  Conduct  or  participate  in  operational  tests  of  IA  implementations  as  part  of  system-wide  operational  tests,  as 
directed. 

/  Integrate  IA  practices  into  pre-milestone  A  activities  and  events  as  required. 
g.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-12.  Commanding  General,  U.S.  Army  Materiel  Command 

The  Commanding  General,  U.S.  Army  Materiel  Command  will — 

a.  Provide  Armywide  materiel  developer  IA  support  for  RDT&E  and  production. 

b.  Assist  IS  functional  proponents  in  identifying  security  requirements  for  proposed  and  existing  sustaining  base, 
tactical,  and  weapons  systems. 

c.  Maintain  a  repository  of  tactical  IA  tools,  and  distribute  tools  to  fielded  tactical  systems,  as  needed.  Coordinate 
with  1st  10  CMD  to  integrate  tactical  and  sustaining-base  toolboxes  into  a  seamless  repository  for  Army  users. 
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d.  Provide  a  DA  authorized  (that  is,  CSLA)  cryptographic  advisor  to  the  certification  authority  (CA)  throughout  the 
DIACAP  process. 

e.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-13.  Commanding  General,  U.S.  Army  Intelligence  and  Security  Command 

The  Commanding  General,  1NSCOM  will — 

a.  Serve  as  the  Army  Service  Cryptologic  Element  (SCE)  and  point  of  contact  for  ISs  under  the  purview  of  the 
NSA. 

b.  Provide  Cl  support  to  Army  elements  on  1A  matters  and  advise  accreditation  authorities  on  the  foreign  intelli¬ 
gence  threat. 

c.  Coordinate  the  C&A  for  all  cryptographic  systems  and  conduct  C&A  for  all  Army  cryptographic  systems  at  PL  2 
(DCID  6/3)  and  below. 

d.  Participate  with  the  CIO/G-6,  DCS,  G-2,  Is'  IO  CMD  (LAND),  NETCOM/9th  SC  (A),  and  CID  in  analyses  and 
studies  concerning  foreign  intelligence  threats,  criminal  intelligence,  or  operational  vulnerabilities  against  which  IA 
countermeasures  will  be  directed. 

e.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-14.  Commanding  General,  U.S.  Army  Criminal  Investigation  Command 

The  Commanding  General,  CID  will — 

a.  Operate  the  Computer  Crime  Investigative  Unit  (CCIU). 

b.  Conduct  criminal  investigations  involving  intrusions  into  Army  networks  and  computers. 

c.  Provide  criminal  and  technical  intelligence  analyses  of  vulnerabilities,  methodology,  tools,  techniques,  or  practices 
obtained  from  computer  crimes  or  forensic  intrusion  analyses  to  support  CND,  C&A,  and  program  developers  or 
managers. 

d.  Participate  in  IAVA  Compliance  Verification  Team  (CVT)  inspections. 

e.  Conduct  crime  prevention  surveys  to  identify  crime-conducive  conditions  involving  Army  networks  and  systems. 
/  Serve  as  chief  enforcer  of  Federal  laws  governing  the  investigation  of  criminal  offenses  involving  networks  and 

systems,  serve  as  the  sole  entity  for  LE  investigation  determinations,  and  serve  as  the  sole  Army  interface  with  Federal 
and  civilian  LE  agencies. 

g.  Participate  with  the  CIO/G-6,  DCS,  G-2, 1NSCOM,  NETCOM/9th  SC  (A),  and  1st  10  CMD  (LAND)  in  analyses 
and  studies  concerning  foreign  intelligence  threats,  criminal  intelligence,  or  operational  vulnerabilities  against  which  IA 
countermeasures  will  be  directed. 

h.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-15.  Chief,  Army  National  Guard 

The  Chief,  ARNG  wili¬ 
er  Request  appointment  as  the  DAA  for  the  ARNG  and  GuardNet  XXI  from  the  CIO/G-6. 

b.  Appoint,  once  authorized,  the  ARNG  state  Director  of  Information  Management  (DOIM)/J6/CIO  for  individual 
states  in  accordance  with  paragraph  5-8.  General  officers  within  the  ARNG  are  state  employees  not  Title  10  or  Title  32 
Soldiers,  therefore,  the  state  DOIM/J6/CIO  will  be  appointed  as  DAAs.  Provide  a  copy  of  these  appointments  to  the 
CIO/G-6  through  the  OIA&C. 

c.  Set  the  ARNG  IA  priorities,  provide  oversight,  and  ensure  the  coordination  and  compliance  of  the  ARNG  IA 
program  is  accomplished  with  the  CG,  NETCOM  to  leverage  Army  technical  authority  standards  and  ensure  compli¬ 
ance  with  this  regulation. 

d.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-16.  Chief,  Army  Reserve 

The  CAR  will — 

a.  Request  appointment  as  the  DAA  for  the  U.S.  Army  Reserve  (USAR)  from  the  CIO/G-6. 

b.  Appoint,  once  authorized,  the  Army  Reserve  Command  (USARC)  Chief  of  Staff  (COS)  as  the  Army  Reserve 
Network  (ARNET)  DAA  when  the  COS  meets  the  requirements  of  paragraph  5-8.  Provide  a  copy  of  this  appointment 
to  the  CIO/G-6  through  the  OIA&C. 

c.  Set  the  USAR  IA  priorities,  provide  oversight,  and  ensure  the  coordination  and  compliance  of  the  USAR  IA 
program  with  the  CG,  NETCOM  to  leverage  Army  technical  authority  standards  and  ensure  compliance  with  this 
regulation. 

d.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-17.  U.S.  Army  Reserve  Command  Chief  of  Staff 

The  USARC  COS  will— 
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a.  Request  appointment  as  the  ARNET  DAA,  as  applicable,  from  the  CAR. 

b.  Appoint,  once  authorized,  the  major  subordinate  command  (MSC)  Commander  as  DAA  for  command/unit/ 
activities  non-ARNET  system/network  implementations  when  the  MSC  meets  the  requirements  of  paragraph  5-8. 
Provide  a  copy  of  this  appointment  to  the  CIO/G-6  through  the  OlA&C. 

c.  Ensure  all  AR  commands/units/activities,  to  include  but  not  limited  to,  all  off  installation  Government  and  non- 
Govemment  satellites,  facilities,  and  buildings,  meet  the  requirements  for  connecting  physically,  logically,  and/or 
virtually  to  the  ARNET  backbone. 

d.  Ensure  MSC  Commanders  implement  the  AR  IA  program  in  accordance  with  CAR  priorities  and  the  CG, 
NETCOM  via  the  applicable  Army  technical  authority  standards  and  ensure  compliance  with  this  regulation. 

e.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-18.  U.S.  Army  Corps  of  Engineers  Chief  of  Engineers 

The  USACE  Chief  of  Engineers  (COE)  will— 

a.  Set  IA  priorities,  provide  oversight,  and  ensure  the  coordination  and  compliance  of  the  IA  program  throughout 
USACE. 

b.  Ensure  the  USACE  CIO  implements  the  USACE  IA  program  in  accordance  with  USACE  priorities  and  the  CG, 
NETCOM  via  the  applicable  Army  technical  authority  standards  and  ensure  compliance  with  this  regulation. 

c.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-19.  U.S.  Army  Corps  of  Engineers  Chief  Information  Officer 

The  USACE  Chief  Information  Officer  (CIO)  will — 

a.  Request  appointment  as  the  DAA  for  the  USACE  Wide  Area  Network  (WAN)  and  all  corporate  IS. 

b.  Appoint,  once  authorized,  the  USACE  Division  Commanders  as  DAA  for  USACE  IS  as  applicable,  when  the 
Division  Commander  meets  the  requirements  of  paragraph  5-8.  Provide  a  copy  of  this  appointment  to  the  CIO/G-6 
through  the  OlA&C. 

c.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-20.  Commanding  General,  Eighth  Army 

The  CG,  Eighth  Army  will — 

a.  Request  appointment  as  the  DAA  for  Eighth  Army  from  the  HQDA  CIO/G-6. 

b.  Appoint,  once  authorized,  the  Eighth  Army  CIO/G-6  as  the  DAA  when  the  Eighth  Army  CIO/G-6  meets  the 
requirements  of  paragraph  5-8.  Provide  a  copy  of  this  appointment  to  the  CIO/G-6  through  the  OIA&C. 

c.  Ensure  MSC  commanders  implement  the  Eighth  IA  program  in  accordance  with  Eighth  Army  priorities  and  the 
CG,  NETCOM  via  the  applicable  Army  technical  authority  standards  and  ensure  compliance  with  this  regulation. 

d.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-21.  Commanding  General,  U.S.  Army  Europe 

The  CG,  USAREUR  will— 

a.  Request  appointment  as  the  DAA  for  Army  Europe  from  the  CIO/G-6. 

b.  Appoint,  once  authorized,  the  DAAs  for  USAREUR  backbone,  tenant  and  MSC  in  accordance  with  the  require¬ 
ments  of  paragraph  5-8.  Provide  a  copy  of  this  appointment  to  the  CIO/G-6  through  the  OIA&C. 

c.  Ensure  tenant  and  MSC  Commanders  implement  the  USAREUR  IA  program  in  accordance  with  USAREUR 
priorities  and  the  CG,  NETCOM  via  the  applicable  Army  technical  authority  standards  and  ensure  compliance  with  this 
regulation. 

d.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-22.  Commanding  General,  U.S.  Army  Medical  Command 

The  CG,  MEDCOM  will— 

a.  Request  appointment  as  the  DAA  for  MEDCOM  from  the  CIO/G-6. 

b.  Appoint,  once  authorized,  the  DAA  for  individual  Regional  Medical  Commands  (RMC)  Commander  and  MSCs 
in  accordance  with  paragraph  5-8.  Provide  a  copy  of  this  appointment  to  the  CIO/G-6  through  the  OIA&C. 

c.  Ensure  RMC  and  MSC  Commanders  implement  the  MEDCOM  IA  program  in  accordance  with  MEDCOM 
priorities  and  the  CG,  NETCOM  via  the  applicable  Army  technical  authority  standards  and  ensure  compliance  with  this 
regulation. 

d.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-23.  Program  executive  officers  and  direct  reporting  program/project  managers 

Program  executive  officers  (PEOs)  and  program/project  managers  (including  PMs  outside  the  PEO  structure  responsi¬ 
ble  for  fielding  systems  to  multiple  Army  organizations)  will — 
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a.  Acquire,  operate,  and  support  systems  within  their  command  or  activity  per  this  regulation. 

b.  Embed  IA  engineering  and  capabilities  in  all  system  RDT&E  activities. 

c.  Appoint  an  IAPM  to  perform  those  duties  listed  in  paragraph  3-26. 

d.  Ensure  that  designated  pre-deployment  information  assurance  security  officers  (IASOs)  effect  continuous  coor¬ 
dination  with  the  organizational  IA  personnel  for  which  the  systems  are  demonstrated,  tested,  or  fielded. 

e.  Request  appointment  as  the  DAA  for  named  acquisition  systems  developed  under  their  charter  from  the  CIO/G-6 
through  the  OlA&C. 

/  Provide  the  C&A  package  to  the  CA  for  an  operational  1A  risk  recommendation  supporting  the  DAA  approval  to 
operate  decision  prior  to  operational  use  or  testing  on  a  live  network  or  with  live  Army  data. 

g.  Ensure  that  the  SO  makes  the  C&A  package  available  to  the  ACOM/ASCC,  RCIO  IAPM,  and  NETCOM,  30 
days  before  initial  operational  test  and  evaluation  (IOT&E)  and  before  deployment  of  the  system. 

h.  Integrate  IA,  COMSEC,  and  TEMPEST  into  entire  system  life  cycle  design,  development,  and  deployment. 

i.  Address  and  include  the  addition  of  any  IT/IA  personnel  (such  as  system  administrator  (SA)  or  network  security 
managers  needed  to  operate  the  new  or  expanded  system  or  network)  or  access  requirements  and  responsibilities  for 
patch  management  and  system  administration  as  part  of  the  development  cost  of  stated  system  or  network. 

j.  Integrate  IA  practices  into  pre-milestone  A  activities  and  events. 

k.  Perform  acquisition  and  life  cycle  management  of  materiel  in  support  of  the  IA  strategy. 

/.  Report  to  HQDA  CIO/G-6  the  percentage  of  PEO/PM-programmed  funding  allocated  to  the  AIAP.  The  report 
will  include  current  and  planned  IA  investments. 

m.  Accomplish  all  intelligence  and  threat  support  requirements  outlined  in  AR  381-11  and  this  regulation. 

n.  Enforce  IA  standards  and  maintain/report  an  inventory  of  IS  products,  equipment,  locations,  and  contact 
information. 

o.  Enforce  1AVM  compliance  measures  (for  example,  notifications,  patch  management)  and  incorporate  them  into 
life  cycle  management  procedures. 

p.  Coordinate  with  CSLA  to  ensure  cryptographic  life  cycle  equipment  management  is  a  consideration  during 
system  design  phase. 

q.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-24.  Commanders,  directors,  and  managers 

Commanders,  directors,  and  managers  will — 

a.  Be  responsible  for  implementing  the  AIAP  in  their  command  or  activity. 

b.  Acquire,  operate,  and  maintain  systems  within  their  command  or  activity  per  this  regulation. 

c.  Incorporate  and  define  requests  for  new  systems  or  changes  to  existing  systems,  including  security  requirements 
necessary  for  the  system’s  concept  of  operation.  Once  validated,  include  these  security  requirements  into  the  system 
design  as  defined  in  procurement  contracts.  Address  the  addition  of  IT/IA  personnel  (such  as  SAs  or  network  security 
managers  needed  to  operate  the  new  or  expanded  system  or  network)  as  part  of  the  development  cost  of  stated  system 
or  network. 

d.  Include  10  and  IA  requirements  in  submissions  of  commander’s  critical  information  requirements  (CCIR)  or 
priority  intelligence  requirements  (PIR). 

e.  Ensure  uses  of  market-driven/industry-developed  (MDID),  commercial-off-the-shelf  (COTS),  or  other  products 
are  consistent  with  IA  requirements  and  do  not  introduce  an  unacceptable  risk. 

/  Appoint  appropriate  IA  personnel  per  chapter  3  of  this  regulation. 

g.  Ensure  that  designated  pre-deployment  IASOs  effect  continuous  coordination  with  the  organizational  IA  person¬ 
nel  for  which  the  systems  are  demonstrated,  tested,  or  fielded. 

h.  Ensure  IA,  COMSEC,  and  TEMPEST  requirements  are  incorporated  into  life  cycle  planning. 

Ensure  implementation  of  this  regulation  is  accomplished  in  compliance  with  all  statutory  and  contractual  labor 
relations  obligations. 

j.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-25.  Garrison  commanders 

Garrison  commanders  will — 

a.  Implement  the  installation  level  IA  program  in  accordance  with  the  installation  commander  priorities  and  the  CG, 
NETCOM  via  the  applicable  continental  United  States  (CONUS)  RCIO  Army  technical  authority  standards  and  to 
ensure  compliance  with  this  regulation. 

b.  Obtain  approval  to  operate  the  garrison  information  systems  from  the  first  general  officer  or  SES  in  the  chain  of 
command  that  has  obtained  the  appropriate  DAA  appointment  from  the  CIO/G-6. 

c.  Ensure  the  installation  DOIM  develops  the  installation  C&A  package,  and  obtains  and  maintains  approval  to 
operate  the  installation  campus  area  network  (ICAN)  and  any  DOIM  controlled  or  managed  consolidated  service 
locations  (server  farms). 


10  AR  25-2  •  24  October  2007 

ManningB_00016245 


Q 


O 


d.  Ensure  all  installation  tenants,  to  include  but  not  limited  to,  all  off  installation  Government  and  non-Govemment 
satellites,  facilities,  and  buildings,  meet  the  requirements  for  connecting  physically  and/or  virtually  to  the  ICAN  (that 
is,  the  installation  backbone). 

e.  Coordinate  with  the  supporting  NETCOM/9th  SC  (A)  component,  ACOM/ASCC,  IMA,  and  tenant  organizations 
for  1A  implementation  and  compliance. 

f.  Acquire,  operate,  and  maintain  systems  within  their  installation  or  activity  per  this  regulation. 

g.  Maintain  the  CM  of  the  garrison  network  and  ensure  that  the  installation-level  CCB/CMB  provides  oversight 
support  to  the  installation  commander. 

h.  Monitor  and  manage  the  connection,  access,  and  IA  standards  for  standalone  and  networked  ISs  down  to  the 
workstation  level  across  all  installation  and  tenant  organizations. 

i.  Manage  and  oversee  the  operation  of  the  installation  infrastructure  throughout  the  system  life  cycle. 

j.  Provide  technical  and  functional  IA  guidance  and  assistance  in  support  of  network  management. 

k.  Review,  before  adoption,  proposed  changes  that  could  affect  the  operation  of  the  installation  infrastructure’s 
network  security  and  operation  (confidentiality,  integrity,  and  availability). 

/.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-26.  U.S.  Army  Reserve  major  subordinate  command 

The  USAR  MSC  will— 

a.  Request  appointment  as  the  non-ARNET  system/network  DAA,  as  applicable,  from  the  USARC  COS. 

b.  Implement  a  command/unit/activity  level  IA  program  in  accordance  with  CAR  priorities  and  ensure  compliance 
with  this  regulation. 

c.  Ensure  the  command/unit/activity  G-6  develops  command/unit/activity  level  certification  and  accreditation  for  all 
non-ARNET  system/network  implementation. 

d.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-27.  Army  National  Guard  state  DOIM/J6/CIO 

The  ARNG  State  DOIM/J6/CIO  will— 

a.  Request  appointment  as  the  ARNG  State  DAA,  as  applicable,  from  the  Chief  ARNG.  General  officers  within  the 
ARNG  are  state  employees  not  Title  10  or  Title  32  Soldiers,  therefore,  the  state  DOIM/J6/CIO  will  perform  the  state 
DAA  duties  once  appointed. 

b.  Implement  the  ARNG  IA  program  in  the  state,  as  applicable,  in  coordination  with  the  ARNG  Chief  to  ensure 
compliance  with  this  regulation. 

c.  Ensure  all  ARNG  State  tenants,  to  include  but  not  limited  to,  all  ARNG  state  government  and  non-Govemment 
satellites,  facilities,  and  buildings,  meet  the  requirements  for  connecting  physically  and/or  virtually  to  the  ARNG  state 
and  ARNG  backbone  (that  is,  GuardNet  XXI). 

d.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-28.  Regional  Chief  Information  Officer 

The  RCIO,  as  CG,  NETCOM  representative  will — 

a.  Be  responsible  for  ensuring  the  technical  authority  enterprise  standards  are  reflected  in  the  installation  IA 
priorities  and  implemented  through  coordination  with  the  appropriate  IC,  garrison  commander  and  DOIM. 

b.  See  additional  responsibilities  at  paragraph  2-2,  paragraph  2-8,  and  paragraph  3-2. 

2-29.  Army  Reserve  command/unit/activity  G-6 

The  USAR  command/unit/activity  G-6  will — 

a.  Implement  an  IA  program  as  directed  by  the  USAR  MSC  Commander  that  reflects  the  CAR  priorities  and  ensure 
compliance  with  this  regulation. 

b.  Ensure  USAR  standards  for  connections  to  the  ARNET  are  met. 

c.  Develop  non-ARNET  system/network  implementations  certification  and  accreditation,  provide  to  the  CA  for  an 
operational  IA  risk  recommendation  supporting  the  DAA  approval  to  operate  decision  prior  to  operational  use  on  a  live 
network  or  with  live  Army  data. 

d.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 

2-30.  Director  of  Information  Management 

The  DOIMs  will— 

a.  Implement  an  IA  program  as  directed  by  the  garrison  commander  that  reflects  the  1C  priorities  and  with  the  CG, 
NETCOM  via  the  applicable  Army  technical  authority  standards  and  is  compliant  with  this  regulation. 

b.  Ensure  Army  standards  for  connection  to  the  ICAN  are  met. 
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c.  Develop  the  installation  certification  and  accreditation  package,  and  provide  to  the  Army  CA  for  an  operational 
1A  risk  recommendation  in  support  of  a  DAA  approval  to  operate  decision. 

d.  Obtain  and  maintain  approval  to  operate  for  the  installation  1CAN  and  any  DOIM  controlled  or  managed 
consolidated  service  locations  (server  farms)  from  the  appropriate  DAA. 

e.  See  additional  responsibilities  at  paragraph  2-2  and  paragraph  2-8. 


Chapter  3 

Army  Information  Assurance  Program  Personnel  Structure 
3-1.  Personnel  structure  overview 

Commanders  will  establish  an  1A  personnel  structure  to  implement  the  A1AP.  These  personnel  will  be  the  focal  points 
for  1A  matters  within  their  commands  or  activities  and  will  have  the  authority  to  enforce,  with  DAA  concurrence, 
security  policies  and  safeguards  for  their  systems  or  networks.  This  authority  includes  recommending  to  the  DAA 
suspension  of  system  operations  based  on  an  identified  security  deficiency,  poor  security  practice,  or  unacceptable  risk. 
Position  the  1A  staff  in  the  organization  to  ensure  operations  do  not  negate  system  security,  except  as  directed  by  the 
DAA.  The  1A  staff  will  be  involved  in  the  acquisitioning  and  contracting  for  ISs  or  IS  services. 

3-2.  Information  assurance  personnel  structure 

Commanders  will  position  1A  personnel  organizationally  to  provide  a  balance  between  security  and  operational 
missions.  The  following  is  the  A1AP  personnel  structure  and  activities  to  be  performed. 

a.  RCIO.  NETCOM/9th  SC  (A)  RClOs  have  the  authority  and  responsibility  to — 

(1)  Translate  strategic  plans  and  technical  guidance  provided  into  objectives,  strategies,  and  architectural  guidance. 

(2)  Exercise  staff  supervision  and  technical  control  for  all  IT  organizations  within  their  region  and  execute  responsi¬ 
bilities  for  baseline  services  (communication  and  system  support,  visual  information,  documents  management,  1A, 
INFOCON,  automation),  either  operationally  or  programmatically,  as  well  as  oversight  of  NETOPS. 

(3)  Provide  all  personnel  operating  on  Army  installations  the  IT  baseline  services  in  a  manner  consistent  with 
policies  and  regulations. 

(4)  Provide  administrative,  financial,  and  managerial  IT  support  to  any  Army  installation  located  within  their 
geographic  region. 

(5)  Coordinate  the  management  of  outsourced  IT  services. 

(6)  Define  the  baseline  and  objectives,  and  establish  specific  service  levels  detailing  contractual  arrangements  and 
satisfactory  contractor  performance. 

(7)  Lead  enterprise-level  initiatives  that  assure  users’  training  requirements  are  considered  and  integrated  into 
processes  for  developing,  implementing,  and  maintaining  capabilities  and  systems. 

(8)  Act  as  the  focal  point  for  command,  control,  communications,  and  computers  for  information  management 
(C4IM)  leadership  and  coordination  of  IT  activities  within  the  region. 

(9)  Execute  the  duties  assigned  under  the  NETCOM/9th  SC  (A)  CONOPS  for  Service  Level  Agreements,  Configu¬ 
ration  Management,  and  Networthiness  Certification  Program. 

(10)  Ensure  all  ISs,  networks,  and  devices  are  scanned  quarterly  as  a  minimum,  including,  but  not  limited  to, 
scanning  for  vulnerabilities,  poor  security  practices,  noncompliance,  backdoor  connections,  unauthorized  modems, 
malicious  logic,  and  unauthorized  network  connections;  take  actions  to  report  all  violations. 

(11)  Ensure  implementation  of  A1AP  policy  and  procedures  within  their  region. 

(12)  Oversee  the  assignment  of  regional  I A  personnel  and  appoint  a  regional  IAPM. 

(13)  Provide  supported  commands,  organizations,  and  agencies  with  POC  information,  especially  if  geographically 
disbursed  across  several  regions. 

b.  IAPM.  The  IAPM  will  be  accountable  for  establishing,  managing,  and  assessing  the  effectiveness  of  all  aspects  of 
the  IA  program  within  a  region,  command,  or  functional  activity.  A  contractor  will  not  fill  the  IAPM  position. 
(Temporary  assignment  of  contractor  personnel  for  a  specified  time,  as  an  exception,  is  authorized  until  the  position 
can  be  properly  filled.)  The  IAPM  must  be  a  U.S.  citizen  and  hold  a  U.S.  Government  security  clearance  and  access 
approval  commensurate  with  the  level  of  responsibility.  Designate  this  position  as  information  technology  1  (IT— I).  The 
IAPM  must  be  IA  trained  and  certified,  and  maintain  the  certification.  The  IAPM  will — 

(1)  Develop,  manage,  and  maintain  a  formal  IA  security  program  that  includes  defining  the  IA  personnel  structure 
and  ensuring  the  appointment  of  an  information  assurance  network  manager  (1ANM),  information  assurance  network 
officer  (IANO),  information  assurance  manager  (1AM),  and  an  IASO  at  subordinate  levels. 

(2)  Enforce  Army  and  regional  IA  policy,  developing  command-unique  procedures  as  needed. 

(3)  Ensure  that  IA  personnel  implement  vulnerability  remediation  bulletins  and  advisories  that  affect  the  security  of 
their  ISs. 
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(4)  Ensure  that  all  IA  personnel  receive  the  necessary  technical  (for  example,  operating  system,  network,  security 
management,  and  system  administration)  and  security  training  to  carry  out  their  duties  and  maintain  certifications. 

(5)  Serve  as  the  primary  point  of  contact  for  IA-related  actions.  This  includes  IAVM  reporting,  compliance, 
vulnerability  assessments,  and  feedback  to  Army  staff  on  current  and  upcoming  1A  policies. 

(6)  As  applicable,  Regional  and  Command  IAPMs  will  provide  their  supporting  RCERT  or  TNOSC  with  guidance 
and  priorities  regarding  IA/CND  support  to  their  regions,  command,  and  subordinates. 

(7)  Manage  the  DIACAP  program  to  ensure  compliance  with  requirements. 

(8)  Ensure  the  development  of  system  C&A  documentation  by  reviewing  and  endorsing  such  documentation  and 
recommending  action  to  the  DAA. 

(9)  Enforce  the  use  of  Army  approved  procedures  for  clearing,  purging,  reusing,  and  releasing  system  memory, 
media,  output,  and  devices. 

(10)  Ensure  DAAs  maintain  a  repository  for  all  systems’  C&A  documentation  and  modifications. 

(11)  Ensure  that  security  violations  and  incidents  are  reported  to  the  servicing  RCERT  in  accordance  with  Section 
VIII,  Incident  and  Intrusion  Reporting. 

(12)  Ensure  that  RCERT  directed  protective  and  corrective  measures  are  implemented  for  vulnerabilities  or  incidents 
remediation. 

(13)  Identify  data  ownership  (including  accountability,  access,  and  special  handling  requirements)  for  each  IS  or 
network  within  their  authority. 

(14)  Conduct  announced  and  unannounced  I A  assessments. 

(15)  Regional  IAPMs  will  maintain  liaison  with  appropriate  Army  theater  and  DOD  activities,  at  a  minimum 
including  CIO/G-6,  RCIO,  DISA,  NS  A,  the  Defense  Intelligence  Agency  (DIA),  HQDA,  1st  10  CMD,  ACERT, 
supporting  RCERT/TNOSC,  CID,  and  INSCOM  elements. 

(16)  Program,  manage,  execute,  and  report  MDEPs  MS4X  and  MX5T  resource  requirements. 

(17)  Administer  an  1A  management  control  evaluation  program  separate  from,  or  in  support  of.  Force  Protection 
Assessment  Teams  (FPATs). 

(18)  Serve  as  a  member  of  the  configuration  board  where  one  exists. 

(19)  In  coordination  with  the  DCS,  G-3,  DCS,  G-2,  and  CIO/G-6,  provide  technical  and  non-technical  information 
to  support  a  commander’s  INFOCON  program. 

(20)  Ensure  that  program  controls  are  in  place  to  confirm  user  access  requirements. 

(21)  The  ACOM/ASCC/functional  IAPMs  will  ensure  that  any  ACOM/ASCC-sponsored  or  developed  unique 
systems  are  fully  accredited  and  certified  prior  to  connection  to  the  network.  Ensure  that  any  proposed  distribution  will 
meet  Networthiness  certification  and  the  NETCOM/9th  SC  (A)  connection  approval  process,  and  fulfill  all  require¬ 
ments  as  a  standard  PM-developed  fielding  prior  to  distribution. 

c.  Regional  IANM.  The  IANM  (if  appointed)  may  serve  as  the  alternate  IAPM.  A  contractor  will  not  fill  the  IANM 
position.  (Temporary  assignment  of  contractor  personnel  for  a  specified  period,  as  an  exception,  is  authorized,  until  the 
position  can  be  properly  filled.)  The  IANM  must  be  a  U.S.  citizen  and  hold  a  U.S.  Government  security  clearance  and 
access  approval  commensurate  with  the  level  of  responsibility.  This  position  will  be  designated  IT— I.  The  IANM  must 
be  IA  certified  and  maintain  his  or  her  certification.  The  IANM,  under  the  purview  of  the  IAPM,  will — 

(1)  Provide  direct  support  to  the  IAPM  on  matters  of  CND  and  the  regional/command  I A  program. 

(2)  Develop  and  oversee  operational  (technical)  IA  implementation  policy  and  guidelines. 

(3)  Advise  the  IAPM  or  DAA  on  the  use  of  specific  network  security  mechanisms. 

(4)  Evaluate  threats  and  vulnerabilities  to  ascertain  the  need  for  additional  safeguards. 

(5)  Assess  changes  in  the  network,  its  operational  and  support  environments,  and  operational  needs  that  could  affect 
its  accreditation. 

(6)  Ensure  procurement  actions,  installations,  and  modifications  to  existing  infrastructure  comply  with  Army- 
approved  IA  architectural  guidance. 

(7)  Develop  and  staff  IA  technical  policy  and  procedures  for  all  networks. 

(8)  Ensure  that  all  networks  on  the  installation  or  activity  for  which  they  are  responsible,  including  tenant  networks 
accessing  the  host  installation’s  infrastructure,  are  planned,  installed,  managed,  accredited,  maintained,  and  operated  per 
the  security  requirements  of  this  regulation  and  the  standards  required  for  connectivity  and  classification  of  the  network 
concerned. 

(9)  Develop  and  issue  network  security  policy,  guidance,  and  countermeasure  implementation  instructions  to  as¬ 
signed  and  tenant  activities. 

(10)  Oversee  periodic  use  of  authorized  scanning  and  assessment  tools. 

(11)  Assist  the  IAPM  in  monitoring  and  enforcing  the  IAVM  and  INFOCON  processes. 

(12)  Serve  as  a  member  of  the  CMB  where  one  exists. 

d.  1AM.  Appoint  IAMs  at  all  appropriate  levels  of  command.  This  includes  subordinate  commands,  posts,  installa¬ 
tions,  and  tactical  units.  Appoint  an  IAM  as  needed  for  those  Army  activities  responsible  for  project  development, 
deployment,  and  management  of  command-acquired  software,  operating  systems,  and  networks.  A  contractor  will  not 
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fill  the  MSC,  installation,  or  post  1AM  positions  and  the  person  filling  the  position  will  be  a  U.S.  citizen.  Commands, 
activities,  or  organizations  with  multiple  lAMs  will  appoint  a  senior  1AM  for  their  command,  activity,  or  organization. 
In  installations  with  multiple  IAMs,  the  Installation  IAM  is  the  Senior  IAM.  All  lAMs  will  hold  a  U.S.  Government 
security  clearance  and  access  approval  commensurate  with  the  level  of  information  processed  by  the  system.  This 
position  will  be  designated  IT-1,  IT— II,  or  IT— III.  The  IAM  must  be  IA  trained  and  certified,  and  must  maintain  his  or 
her  certification.  The  IAM  will — 

(1)  Develop  and  enforce  a  formal  I A  security  and  training  program. 

(2)  Enforce  IAVM  dissemination,  reporting,  compliance,  and  verification  procedures  as  described  in  CJCSM 
6510.01. 

(3)  Report  security  violations  and  incidents  to  the  servicing  RCERT  in  accordance  with  Section  VIII,  Incident  and 
Intrusion  Reporting. 

(4)  Conduct  security  inspections,  assessments,  tests,  and  reviews. 

(5)  Manage  lASOs,  as  required,  to  establish  the  scope  of  responsibilities  and  the  technical  and  security  training 
requirements. 

(6)  Conduct  semi-annual  reviews  of  all  ISs  and  networks  to  ensure  no  security  changes  have  been  made  to 
invalidate  the  C&A. 

(7)  Negotiate  C&A  issues  with  the  DAA,  or  his  or  her  designated  representative,  for  incoming  systems  and  make 
recommendations  to  the  commander  on  additional  protection  mechanisms  necessary  prior  to  operation  of  the  incoming 
ISs. 

(8)  Maintain  training  and  certification  records  for  IA  personnel  and  user  1A  awareness  training  records. 

(9)  Ensure  the  use  of  Army  approved  procedures  for  clearing,  purging,  reusing,  and  releasing  system  memory, 
media,  output,  and  devices. 

(10)  Review  all  I A  C&A  support  documentation  packages  and  system  fielding,  operations,  or  upgrades  requirements 
to  ensure  accuracy  and  completeness,  and  that  they  meet  minimal  risk  acceptance  standards. 

(1 1)  Maintain  a  repository  for  all  systems  C&A  documentation  and  modifications,  version  control,  and  management 
of  GOTS,  COTS,  and  non-developmental  items  (NDls)  for  his  or  her  organization  or  site. 

(12)  Identify  data  ownership  (including  accountability,  access,  and  special  handling  requirements)  for  each  IS  or 
network  within  their  authority. 

(13)  Verify  that  all  ISs  within  the  scope  of  responsibility  are  properly  certified  and  accredited  in  accordance  with 
DIACAP  and  CM  policies  and  practices  before  operating  or  authorizing  the  use  of  hardware  and  software  on  an  IS  or 
network. 

(14)  Serve  as  a  member  of  an  applicable  CCB,  where  one  exists. 

(15)  Ensure  that  I A  personnel  are  maintaining  and  auditing  access  and  log  data. 

(16)  Assist  the  IAPM  to  identify  and  validate  I A  resource  requirements. 

(17)  Provide  input  to  the  IAPM  for  management  controls. 

(18)  The  Installation  IAM  will  provide  policy  and  guidance  to  all  IAMs  on  an  installation. 

(19)  Tenant  IAMs  will  assist  and  support  Installation  IAMs. 

(20)  Installation  IAMs  will  provide  reports  to  the  RCIO  IAPM. 

e.  IANM  or  IANO.  The  garrison  commander  or  manager  of  the  installation  or  activity  responsible  for  the  network 
will  appoint  an  IANM  for  each  installation  or  group  of  networks  at  all  appropriate  levels  of  command  below  ACOM 
and  DA  staff  and  field  operating  agencies,  including  subordinate  commands,  posts,  installations,  and  tactical  units. 
Appoint  IANOs  to  assist  IANMs  as  required.  IANM  and  IANO  positions  will  be  designated  IT-I  or  IT— II.  A  contractor 
will  not  fill  the  Installation  IANM  position.  The  IANM  must  be  a  U.S.  citizen  and  hold  a  U.S.  Government  security 
clearance  and  access  approval  commensurate  with  the  level  of  responsibility.  Each  IANM  and  IANO  must  be  IA  and 
vulnerability  assessment  technician  (VAT)  certified  and  must  maintain  his  or  her  certification.  The  IANM  and  IANO, 
in  addition  to  providing  direct  support  to  the  1AM,  will — 

(1)  Implement  the  I A  program  to  ensure  the  AEI  is  operational  and  secure. 

(2)  Comply  with  and  implement  policy  received  from  the  appropriate  network  security  manager  or  the  IAM. 

(3)  Conduct  reviews  of  the  network  architecture  for  vulnerabilities. 

(4)  Ensure  measures  and  procedures  used  at  network  nodes  support  the  security  integrity  of  the  network  and  comply 
with  applicable  directives. 

(5)  Develop,  issue,  and  implement  security  procedures  and  protocols  governing  network  operations  per  this 
regulation. 

(6)  Prepare,  disseminate,  and  maintain  plans,  instructions,  and  standing  operating  procedures  (SOPs)  concerning 
network  security. 

(7)  Conduct  reviews  of  network  threats  and  vulnerabilities  per  this  regulation  and  the  IAVM  process. 

(8)  Report  security  violations  and  incidents  to  the  servicing  RCERT  in  accordance  with  Section  VIII,  Incident  and 
Intrusion  Reporting. 

(9)  Review  and  evaluate  the  effects  on  security  of  changes  to  the  network,  including  interfaces  with  other  networks. 


14 

ManningB_0001 6249 


AR  25-2  •  24  October  2007 


© 


9 


(10)  Perform  required  monitoring  of  network  resources  per  this  regulation. 

(11)  Ensure  the  use  of  Army  approved  I A  products  from  the  I A  Approved  Products  List. 

(12)  Implement  IA  and  IAVM  reporting  and  compliance  procedures  as  set  out  in  CJCSM  6510.01. 

(13)  Analyze  and  maintain  network  audit  data. 

(14)  Ensure  adequate  network  connectivity  by  making  proper  decisions  concerning  levels  of  confidentiality  and 
robustness  for  the  system. 

/  IASO.  The  commander  or  manager/director  of  the  activity  responsible  for  the  ISs  will  appoint  an  IASO  for  each  IS 
or  group  of  ISs.  The  same  IASO  may  be  appointed  for  multiple  ISs.  The  IASO  position  will  be  designated  IT— I,  IT— II, 
or  IT— III.  A  contractor  may  not  fill  MSC,  installation,  or  post  IASO  positions  at  IT— I,  if  created.  The  IASO  must  be  IA 
certified  and  maintain  his  or  her  certification.  Appoint  pre-deployment  or  operational  IASOs  for  developmental  systems 
with  the  applicable  responsibilities.  DOD  uses  the  term  IAO  for  IASO  responsibilities.  All  IASOs  will — 

(1)  Enforce  IA  policy,  guidance,  and  training  requirements  per  this  regulation  and  identified  BBPs. 

(2)  Ensure  implementation  of  IAVM  dissemination,  reporting,  and  compliance  procedures. 

(3)  Ensure  all  users  meet  the  requisite  favorable  security  investigations,  clearances,  authorization,  need-to-know,  and 
security  responsibilities  before  granting  access  to  the  IS. 

(4)  Ensure  users  receive  initial  and  annual  IA  awareness  training. 

(5)  Ensure  log  files  and  audits  are  maintained  and  reviewed  for  all  systems  and  that  authentication  (for  example, 
password)  policies  are  audited  for  compliance. 

(6)  Prepare,  distribute,  and  maintain  plans,  instructions,  and  SOPs  concerning  system  security. 

(7)  Review  and  evaluate  the  effects  on  security  of  system  changes,  including  interfaces  with  other  ISs  and  document 
all  changes. 

(8)  Ensure  that  all  ISs  within  their  area  of  responsibility  are  certified,  accredited  and  reaccredited. 

(9)  Maintain  and  document  CM  for  IS  software  (including  IS  warning  banners)  and  hardware. 

(10)  Pre-deployment  or  operational  IASOs  will  ensure  system  recovery  processes  are  monitored  and  that  security 
features  and  procedures  are  properly  restored. 

(11)  Pre-deployment  or  operational  IASOs  will  maintain  current  software  licenses  and  ensure  security  related 
documentation  is  current  and  accessible  to  properly  authorized  individuals. 

(12)  Tenant  IASOs  will  support  and  assist  tenant  IAMs  (or  the  installation  IAM  if  no  tenant  1AM  exists). 

(13)  Report  security  violations  and  incidents  to  the  servicing  RCERT  in  accordance  with  Section  VIII,  Incident  and 
Intrusion  Reporting. 

3-3.  Information  assurance  support  personnel 

In  addition  to  the  above  described  IA  structure,  other  personnel  have  crucial  responsibilities. 

a.  System  or  network  administrators.  System  administrators  (SAs)  and  network  administrators  (NAs)  must  be 
designated  IT— I,  IT— II,  or  IT— III  (see  para  4-14).  Each  SA/NA  must  be  trained,  experienced,  IA  certified,  and  currently 
certified  on  the  ISs  that  they  are  required  to  maintain.  The  SA/NA  should  be  a  U.S.  citizen  and  must  hold  a  U.S. 
Government  security  clearance  and  local  access  approvals  commensurate  with  the  level  of  information  processed  on  the 
system  or  network.  SA/NA  responsibilities  include,  but  are  not  limited  to,  implementing  the  AIAP  within  their 
command,  installation,  or  activity.  SA/NAs  will  be  designed  on  appointment  orders  and  will — 

(1)  Enforce  the  IS  security  guidance  policies  as  provided  by  the  IAM  and  perform  IASO  duties  if  an  IASO  has  not 
been  appointed. 

(2)  Enforce  system  access,  operation,  maintenance,  and  disposition  requirements. 

(3)  Ensure  that  personnel  meet  required  security  investigation,  clearance,  authorization,  mission  requirement,  and 
supervisory  approval  before  granting  access  to  the  IS. 

(4)  Report  security  violations  and  incidents  to  the  servicing  RCERT  in  accordance  with  Section  VIII,  Incident  and 
Intrusion  Reporting. 

(5)  Conduct  required  IAVM  scanning  and  vulnerability  assessments  with  approved  software  as  authorized  by  their 
IAM/IASO.  SAs/NAs  are  not  limited  to  only  IAVM  scanning,  but  should  be  conducting  comprehensive  network 
assessments  of  their  networks  as  authorized. 

(6)  Ensure  CM  includes  all  pertinent  patches  and  fixes  by  routinely  reviewing  vendor  sites,  bulletins,  and  notifica¬ 
tions  and  proactively  updating  systems  with  fixes,  patches,  definitions,  and  service  packs  with  1AM  or  IAPM  approval. 

(7)  Ensure  any  system  changes  resulting  from  updating  or  patching  are  reported  to  the  IAM/IASO. 

(8)  Record  IAVM  compliance  in  the  Asset  and  Vulnerability  Tracking  Resource  (A&VTR)  database. 

(9)  Maintain  current  anti-virus  (AV)  engines  and  definitions  on  all  ISs. 

(10)  Review  and  verify  currency  of  user  accounts,  accesses,  and  logins.  Remove  departing  users’  accounts  before 
departure.  Terminate  inactive  accounts  verified  as  no  longer  required  that  exceed  45  days. 

(11)  Suspend  user  accounts  for  the  following  types  of  actions:  actions  that  knowingly  threaten,  damage,  or  harm  the 
IS,  network  or  communications  security;  revocation,  suspension,  or  denial  of  security  clearance  or  interim  security 
clearance  investigations;  or  unauthorized  use  of  IS  and  networks  per  para  4— 5.s. 
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(12)  Remove  or  disable  all  default,  guest,  and  service  accounts  in  ISs  or  network  devices,  and  rename  administrative 
accounts  as  applicable. 

(13)  Maintain  and  use  at  least  2  separate  accounts  for  access  to  network  resources,  1  for  their  privileged  level 
access  and  a  separate  general  user,  non-privileged  level  account  for  routine  procedures. 

(14)  Review  IS  and  network  audit  logs  and  log  files,  and  report  anomalous  or  suspicious  information  in  accordance 
with  Section  VIII,  Incident  and  Intrusion  Reporting. 

(15)  Monitor  IS  performance  to  ensure  that  recovery  processes,  security  features,  and  procedures  are  properly 
restored  after  an  IS  has  been  rebooted. 

(16)  Monitor  IS  performance  to  ensure  that  processes,  security  features,  and  operating  system  configurations  are 
unaltered. 

(17)  Perform  equipment  custodian  duties  as  necessary. 

(18)  Notify  the  1AM  or  IAPM  when  a  system  no  longer  processes  sensitive  or  classified  information,  or  when 
changes  occur  that  might  affect  C&A,  to  obtain  disposition  or  resolution  instructions. 

(19)  Ensure  CM  for  security-relevant  IS  software  (including  IS  warning  banners)  and  hardware  is  maintained  and 
documented. 

(20)  Implement  and  test  IS  and  data  backup  procedures  for  integrity. 

(21)  Prohibit  attempts  to  strain  or  test  security  mechanisms  or  to  perform  network-line  or  keystroke  monitoring 
without  authorization. 

(22)  Establish  audit  trails,  conduct  reviews,  and  create  archives  as  directed  by  the  IAM. 

(23)  Will  sign  a  Privileged-level  Access  Agreement  (PAA)  and  a  Non-Disclosure  Agreement  (NDA)  as  a  prerequi¬ 
site  to  maintaining  their  positions.  Reference  the  IA  BBP  on  PAA;  AUP  (https://informationassurance.us.army.mil). 

b.  Data  owners.  Data  owners  will,  at  a  minimum,  provide  guidance  or  feedback  to  the  System  Owner  (SO) 
concerning — 

(1)  The  confidentiality  of  information  under  the  data  owner’s  purview. 

(2)  The  DIACAP  team’s  decision  regarding  the  level  of  classification,  confidentiality,  integrity,  availability,  encryp¬ 
tion,  and  protection  requirements  for  the  data  at  rest  or  in  transit. 

(3)  Specific  requirements  for  managing  the  owner’s  data  (for  example,  incident  response,  information  contamination 
to  other  system/media,  and  unique  audit  requirements). 

(4)  Whether  FNs  may  access  ISs  accredited  under  this  regulation.  Access  must  be  consistent  with  DOD,  DA,  and 
D1A  governing  directives  (for  example,  AR  380-10  and  DClDs  1/7  and  5/6). 

c.  General  users.  Use  of  Government  IS  and  access  to  Government  networks  is  a  revocable  privilege,  not  a  right. 
Users  are  the  foundation  of  the  DiD  strategy  and  their  actions  affect  the  most  vulnerable  portion  of  the  AEI.  Users 
must  have  a  favorable  background  investigation  or  hold  a  security  clearance  and  access  approvals  commensurate  with 
the  level  of  information  processed  or  available  on  the  system.  Users  will — 

(1)  Comply  with  the  command’s  AUP  for  Government  owned  ISs  and  sign  an  AUP  prior  to  or  upon  account 
activation. 

(2)  Complete  initial  and/or  annual  1A  training  as  defined  in  the  IA  training  BBP 
(https://informationassurance.us.army.mil). 

(3)  Mark  and  safeguard  files,  output  products,  and  storage  media  per  the  classification  level  and  disseminate  them 
only  to  individuals  authorized  to  receive  them  with  a  valid  need  to  know. 

(4)  Protect  ISs  and  IS  peripherals  located  in  their  respective  areas  in  accordance  with  physical  security  and  data 
protection  requirements. 

(5)  Practice  safe  network  and  Internet  operating  principles  and  take  no  actions  that  threaten  the  integrity  of  the 
system  or  network. 

(6)  Obtain  prior  approval  for  the  use  of  any  media  (for  example,  USB,  CD-ROM,  floppy  disk)  from  the  SA/ 
IAM 

(7)  Scan  all  files,  attachments,  and  media  with  an  approved  and  installed  AV  product  before  opening  a  file  or 
attachment  or  introducing  media  into  the  IS. 

(8)  Report  all  known  or  suspected  spam,  chain  letters,  and  violations  of  acceptable  use  to  the  SA,  IAM,  or  1AS0. 

(9)  Immediately  stop  using  an  infected  IS;  and  report  suspicious,  erratic,  or  anomalous  IS  operations,  and  missing  or 
added  files,  services,  or  programs  to  the  SA/IASO  in  accordance  with  local  policy. 

(10)  Not  disclose  their  individual  account  password  or  pass-phrase  authenticators. 

(11)  Invoke  password-protected  screen  locks  on  your  workstation  after  not  more  than  15  minutes  of  non-use 
or  inactivity. 

(12)  Logoff  ISs  at  the  end  of  each  workday. 

(13)  Access  only  that  data,  control  information,  software,  hardware,  and  firmware  for  which  the  user  is 
authorized  access. 

(14)  Access  only  that  data  that  they  are  authorized  or  have  a  need  to  know. 


16 

ManningB_00016251 


AR  25-2  •  24  October  2007 


© 


9 


(15)  Assume  only  authorized  roles  and  privileges  as  assigned. 

(16)  Users  authorized  Government-provided  I A  products  (for  example,  AV  or  personal  firewalls)  will  be  encouraged 
to  install  and  update  these  products  on  their  personal  systems  and  may  be  required  to  do  so  as  directed  by  the  DAA 
and  documented  in  the  C&A  package  for  any  approved  remote  access. 

d.  COMSEC  custodians  and  inspecting  personnel.  Execute  responsibilities  as  required  per  this  regulation  and  AR 
380-40. 

e.  TEMPEST  personnel.  Execute  responsibilities  as  required  in  AR  381-14. 

f.  Intelligence  personnel.  Senior  intelligence  officers  (SIOs)  or  command  intelligence  officers  (DCSINT/G2s/S2s) 
will — 

(1)  Ensure  the  command  statement  of  intelligence  interest  (SI1)  (AR  381-10  and  AR  381-20)  registers  requirements 
for  the  receipt  of  validated  intelligence  adversely  affecting  the  integrity  and  reliability  of  ISs. 

(2)  Provide  assistance  in  the  identification  of  threat  factors  affecting  the  risk  management  approach  for  implement¬ 
ing  security  safeguards. 

g.  Force  protection  officers.  Execute  responsibilities  as  required  by  AR  525-13. 

h.  Information  operations  officers.  Execute  responsibilities  as  required  by  FM  3-13. 

i.  OPSEC  officers.  The  primary  OPSEC  vulnerability  is  information  made  publicly  accessible  through  Web  sites  and 
Web-enabled  applications.  Commanders  and  Directors  will  develop  and  implement  an  OPSEC  review  plan  as  part  of 
their  inspection  programs.  All  content  placed  on  a  Web  site  will  be  reviewed  for  OPSEC  sensitive  information. 
Additionally,  execute  responsibilities  as  required  per  AR  530-1. 

j.  Public  affairs  officers  (PA Os).  Execute  1A  responsibilities  as  required  per  this  and  AR  25-1. 

k.  Acquisition  officers.  Include  IA  requirements  in  the  acquisition  phases  and  execute  responsibilities  as  required  by 
DOD  5000.2-R  and  NSTISSP  No.  11. 

l.  DOIMs.  Execute  responsibilities  per  this  regulation  and  AR  25-1. 

m.  DAAs  (see  para  5-8). 

(1)  The  DAA  will— 

(a)  Be  a  U.S.  citizen. 

(b)  Hold  a  U.S.  Government  security  clearance  and  access  approvals  commensurate  with  the  level  of  information 
processed  by  the  system  under  his  or  her  jurisdiction. 

(c)  Be  an  employee  of  the  U.S.  Government  and  meet  the  grade  requirements  identified  in  paragraph  5-8. 

(d)  Complete  the  DAA  Basics  Computer  Based  Training  prior  to  performing  the  duties  of  DAA. 

(e)  Request  appointment  from  the  CIO/G-6  for  IS  by  name. 

(f)  Ensure  the  DAA  position  is  designated  as  an  IT— I,  based  on  the  duties  assigned  and  the  expected  effects  on  the 
Army  mission. 

(g)  Meet  training  and  certification  requirements  in  accordance  with  NSTISSI  No.  4012. 

(h)  The  DAA  will  understand  the  operational  need  for  the  systems  and  the  operational  consequences  of  not 
operating  the  systems.  The  DAA  will  have  an  in-depth  knowledge  of  DiD  to  drive  state-of-the-art  acquisition,  focus  a 
robust  training  program,  and  institute  executable  policy  across  the  IA  enterprise. 

(2)  The  DAA  will  ensure  the  following  as  a  minimum — 

(a)  Proper  C&A  based  on  systems  environment,  mission  assurance  category  (MAC)  level,  confidentiality  level,  and 
security  safeguards  in  accordance  with  this  regulation  and  the  Interim  DIACAP. 

(b)  Issue  written  memo  or  digitally  signed  e-mail  IA  C&A  authorization  statements  (that  is,  interim  approval  to 
operate  (IATO),  interim  authorization  to  test  (IATT),  approval  to  operate  (ATO),  denial  of  authorization  to  operate 
(DATO)),  after  receipt  of  CA  recommendation. 

(c)  Maintain  records  (including  use  of  IA  tools)  for  all  IS  C&A  activities  under  his  or  her  purview. 

(d)  Accomplish  roles  and  responsibilities  as  outlined  in  this  regulation  during  each  phase  of  the  accreditation  process 
and  for  each  IS  as  required. 

(e)  Ensure  operational  IS  security  policies  are  in  place  for  each  system,  project,  program,  and  organization  or  site  for 
which  the  DAA  has  approval  authority. 

(f)  Incorporate  security,  C&A,  and  Networthiness  as  an  element  of  the  life  cycle  process. 

(g)  Ensure  data  owner  requirements  are  met  before  granting  any  FN  access  to  the  system. 

(h)  Consider  and  acknowledge  Cl  and  criminal  intelligence  activities  during  the  C&A  process. 

(i)  Report  security-related  events  to  affected  parties  (for  example,  data  owners,  all  involved  DAAs).  DAAs  must 
coordinate  with  investigative  activities  (for  example,  CCIU,  RCERT)  before  making  notifications. 

(j)  Assign  written  security  responsibilities  to  the  individuals  reporting  directly  to  the  DAA  (for  example,  IAM  or  an 
IASO  if  an  IAM  does  not  exist). 

(k)  Appoint  a  CA  for  each  IS  (or  group  of  ISs)  and  network. 

(l)  Ensure  CSLA  certification  of  cryptographic  applications  occurs  during  the  C&A  process. 

n.  CA.  Authority  and  responsibility  for  certification  is  vested  in  the  Army  FISMA  Senior  IA  Officer  (SIAO).  The 
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Director  OIA&C,  NETC-EST-I,  was  appointed  FISMA  SIAO  by  the  CIO/G-6  and  will  be  the  single  Army  certifica¬ 
tion  authority  (see  para  5-2). 

o.  Agent  of  the  certification  authority  (ACA).  (See  also  para  5-9).  The  Army  CA  will  maintain  a  list  of  qualified 
Government  organizations  and  labs,  as  Agents  of  the  CA  (ACA),  to  perform  the  certification  activities.  The  ACAs, 
funded  by  the  SOs,  are  available  to  provide  SOs  with  certification  capabilities.  Organizations  can  request  appointment 
as  an  ACA  by  following  the  process  in  the  ACA  BBP. 

p.  SO.  A  Government  SO  will  be  identified  for  each  IS  used  by  or  in  support  of  the  Army.  The  SO  is  responsible 
for  ensuring  the  security  of  the  IS  as  long  as  it  remains  in  Army  inventory,  or  until  transferred  (temporarily  or 
permanently)  to  another  Government  person  or  organization  and  such  transfer  is  appropriately  documented,  and 
provided  as  an  artifact  to  the  accreditation  package  (see  para  5-10). 

q.  Host  and  tenant  responsibilities.  Army  tenant  units  or  activities  must  comply  with  the  1A  requirements  of  their 
parent  ACOM/ASCC  and  their  supporting  installation.  Army  and  non-Army  tenant  operations  must  comply  with  the 
host  installation’s  IA  policy  if  they  connect  to  the  installation’s  information  infrastructure.  Army  tenant  units  or 
activities  and  units  based  in  or  under  operational  control  (OPCON)  of  an  ACOM/ASCC  other  than  their  parent  will 
comply  with  the  IA  requirements  of  both  parent  and  host  commands.  Address  unresolved  conflicts  of  1A  policy  per  this 
regulation  through  local  command  channels  and  RClOs  to  HQDA,  CIO/G-6.  Until  CIO/G-6  resolves  the  conflict,  the 
provisions  of  this  regulation  will  apply,  including  those  pertaining  to  the  use  of  gateways  or  information  management 
resources  as  pathways  to  connect  their  ISs.  If  the  non-Army  tenant  uses  any  part  of  the  host  installation  infrastructure, 
the  installation  IAM  will  require  the  use  of  CM  controls  consistent  with  the  installation’s  information  management  and 
CM  process.  All  tenant  activities  will — 

(1)  Identify  and  coordinate  all  system  upgrades,  fieldings,  pilots,  tests,  and  operations  of  new  or  upgraded  systems 
with  the  installation  1AM,  DAA,  and  DOIM. 

(2)  Identify  ISs  and  provide  the  approved  C&A  documentation  to  the  installation  IAM. 

(3)  Identify  their  security  support  requirements  to  the  installation  IAM  and  provide  technical  assistance,  as  required. 

(4)  Identify  appropriate  IA  personnel  to  the  installation  IAM. 

(5)  Support  installation  IA  efforts  and  requirements,  and  identify  constraints  in  sufficient  time  to  permit  coordination 
and  preparation  of  a  viable  IS  security  solution. 

(6)  Coordinate  and  conduct  vulnerability  assessments  or  compliance  scanning,  and  report  completion  and  results  as 
required. 


Chapter  4 

Information  Assurance  Policy 

Section  I 
General  Policy 

4-1.  Policy  overview 

This  chapter  provides  policy  to  implement  IA  requirements  developed  to  respond  to  the  IA  challenge,  as  defined  in 
Public  Law,  National  Security,  DOD,  and  Army  directives,  policies,  and  regulations. 

a.  Implement  all  security  analyses,  security  engineering,  and  security  countermeasures  to  protect  ISs  within  the 
framework  of  risk  management  and  adherence  to  public  laws,  DOD  directives,  and  Army  regulations. 

b.  Define  a  security  policy  and  a  protection  profile  for  ISs  during  concept  development.  Consider  security  require¬ 
ments  based  on  these  items  throughout  the  IS  life  cycle. 

c.  The  IS  developer  will  ensure  the  early  and  continuous  involvement  of  the  functional  proponent,  threat  and  risk 
assessors,  users,  IA  personnel,  data  owners,  certification  authorities,  and  DAAs  in  defining  and  implementing  security 
requirements  of  the  IS. 

d.  Statements  of  security  requirements  will  be  included  in  the  acquisition  and  procurement  specifications  and 
contracts  for  ISs,  products,  and  services.  Purchases  will  be  in  accordance  with  Army  contracting  and  acquisition 
guidelines.  Blanket  Purchase  Agreements  (BP As),  and  IA-approved  products.  NIST  Special  Publication  800-64  REV.l 
may  be  referenced  for  specification,  tasks,  and  clauses  that  are  used  in  writing  contracts.  The  statements  will  reflect  an 
initial  risk  assessment  and  will  specify  the  required  protection  level  per  DODD  8500.1  and  DODI  8500.2. 

e.  The  ACOMs,  ASCCs,  DRUs,  direct  reporting  PMs,  or  functional  proponents  will  not  field,  and  commanders  will 
not  accept,  systems — 

(1)  That  do  not  meet  minimum  security  standards  stated  in  the  acquisition  and  procurement  specifications. 

(2)  For  which  a  C&A  authorization  has  not  been  obtained  from  the  appropriate  DAA. 

/  Commanders  are  responsible  for  ensuring  that  ISs  under  their  purview  are  operated  in  a  manner  consistent  with 
the  system  C&A  package  and  this  regulation. 
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g.  Development  and  modification  to  existing  ISs  will  be  performed  in  a  manner  that  makes  security  an  integral  part 
of  the  development,  acquisition,  fielding,  and  operational  processes. 

h.  All  ISs  will  be  subjected  to  the  acquisition  life  cycle  per  AR  70-1. 

/'.  AR  525-13  prescribes  policies  and  procedures  for  the  Army  antiterrorism  program  and  assigns  responsibilities  for 
including  defensive  information  operations. 

4-2.  Funding 

HQDA  will  manage  and  provide  annual  1A  initiatives  funding  guidance  and  support  required  for  Management  Decision 
Packages  (MDEPs)  MS4X  and  MX5T,  and  others  as  appropriate.  Funding  guidance  will  change  from  year  to  year,  and 
ClO/G-6  will  publish  annual  guidance  on  the  submission  of  1A  requirements  and  the  CIO/G-6  validation  processes  of 
those  submitted  requirements.  This  funding  and  budgeting  process  will  continue  under  the  Army  Information  System 
Security  Program  (A1SSP)  direction  and  guidance.  This  annual  guidance  provided  to  IAPMs  and  other  appropriate 
personnel  will  identify  valid  IA  submission  requirements  and  the  type  of  information  required.  CIO/G— 6  will  present 
validated  IA  requirements  to  the  appropriate  Program  Evaluation  Group  (PEG). 

a.  Reporting  requirements.  The  RCIOs  and  ACOMs/ASCCs  will  provide  the  MDEP  MS4X  Report  (illustrated  in 
table  4-1)  to  the  HQDA,  CIO/G-6,  as  indicated  below— 

(1)  Submit  fiscal  year  (FY)-phased  execution  plans  to  the  CIO/G-6  no  later  than  10  August  of  each  year. 

(2)  Funded  commands  must  provide  a  detailed  midyear  and  yearend  actual  execution  report. 

(a)  The  midyear  actual  execution  report  is  due  to  the  CIO/G-6  not  later  than  10  May  of  each  fiscal  year. 

(b)  The  yearend  actual  execution  report  is  due  to  the  CIO/G-6  not  later  than  10  October  of  each  fiscal  year. 

(c)  Both  the  midyear  and  yearend  actual  execution  reports  must  be  tied  to  phased  execution  plans  and  reconciled 
with  the  official  Execution  Database  Summary  (218)  report. 

(d)  Review  execution  reports  for  unauthorized  expenditures  and  unauthorized  fund  reprogramming. 

(e)  HQDA,  CIO/G-6  will  monitor  program  execution  on  a  regular  basis. 

(f)  Commands  receiving  MDEP  MS4X  funds  will  submit  semi-annual  reports.  (Reporting  Requirements  (RCS: 
CSIM-62).) 


MDEP  MS4X,  Information  Assurance  Phased  Funding  Utilization  Plan/Actual  Execution  Report  (RCS:  CSIM-62) 
For  period  ending  092009  (MMYYYY) 


Project  execution 
data 

Phased  Fund  Utili¬ 
zation  Plan 

Estimated  cost 

Actual  obligation 

Date  obligated 

Actual  execution 

(09/09) 

Item  (for  example, 
training  (what  type 
and  number  of  par¬ 
ticipants);  specific 
equipment  items) 

($000) 

($000) 

($000)  (09/08) 

Remarks:  (for  example, 
status  of  procurement  ac¬ 
tion,  explanation  for  non¬ 
execution  of  funds  in  line 
with  execution  plan;  ex¬ 
plain  what  specific  equip¬ 
ment  items  will  be  used 
for) 

b.  MDEP  MX5T  funds.  MDEP  MX5T  funds  are  used  in  centralized  procurement  of  COMSEC  and  I A  equipment 
within  the  Army.  The  following  guidance  is  provided: 

(1)  Commanders  are  responsible  for  developing  their  respective  command  and  combatant  command-level  MX5T 
requirements.  Inputs  will  be  staffed  through  their  local  IA  channels  and  provided  to  the  RCIO  and  HQDA  for  all  their 
sub-activities  and  subordinate  commands. 

(2)  Garrison  commanders  and  tenant  activities  will  report  INFOSEC,  COMSEC,  and  IA  requirements  to  their 
respective  RCIOs. 

(3)  PEOs  are  responsible  for  developing,  managing,  and  providing  input  to  the  HQDA  for  all  their  PMs. 

(4)  A  PM  that  reports  directly  to  HQDA  is  responsible  for  developing  requirements  and  providing  his  or  her  input  to 
HQDA. 

(5)  Forecast  data  over  a  15-year  period  for  the  purpose  of  short-term,  mid-term,  and  long-term  funding  projections. 
Provide  this  data  to  the  CSLA  database  located  at  Fort  Huachuca,  Arizona.  Provide  the  following  minimum  data: 

(a)  Name  of  INFOSEC,  COMSEC,  or  IA  system,  equipment,  or  product  needed. 

(b)  Name  of  system  requiring  INFOSEC,  COMSEC,  or  IA  systems,  equipment,  or  products. 

(c)  Quantity  of  each  type  of  INFOSEC,  COMSEC,  or  IA  equipment  needed  starting  with  the  first  year  of  the 
program  objective  memorandum  (POM). 

(d)  Name  of  the  approving  authority. 
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(e)  Point  of  contact’s  name,  mailing  address,  and  e-mail  and  Defense  Message  System  (DMS)  addresses. 

(f)  Name  of  operational  requirements  document  (ORD)  and  date  approved. 

(g)  Short  description  of  system. 

(h)  Other  information  as  directed  by  HQDA  CIO/G-6  or  DCS,  G-3. 

(6)  Submission  of  un-resourced  requirements  will  be  to  CIO/G-6,  Attention:  NETC-ESTA-I. 

4-3.  Information  assurance  training 

All  individuals  appointed  as  1A  or  network  operations  personnel  must  successfully  complete  an  IA  security  training 
certification  course  of  instruction  equivalent  to  the  duties  assigned  to  them.  Individuals  must  also  be  certified  in 
accordance  with  the  DOD  baseline  requirements  of  DODD  8570.1.  Personnel  with  privileged  access  must  sign  a 
privileged  level  user  agreement.  Personnel  in  technical  level  positions  will  complete  the  applicable  computing  environ¬ 
ment  certifications.  Methods  of  training  are  web  based  at  https://ia.gordon.army.mil,  or  other  Service  or  Agency 
equivalent. 

a.  Requirements. 

(1)  IAPM  will— 

(a)  Complete  the  Army  IASO  course  within  6  months  of  appointment. 

(b)  Complete  Army  E-leaming  training  course  for  Certified  Information  Systems  Security  Professional  (CISSP). 

(c)  Completion  dates  are  automatically  uploaded  into  the  ATCTS. 

(d)  Complete  applicable  DOD  baseline  management  certification. 

(2)  IANM  will— 

(a)  Comply  with  paragraphs  a(l)(a),  a(l)(c),  and  fl(l)(d),  above. 

(b)  Complete  the  SA/NM  security  course  (at  Fort  Gordon  or  a  mirror  site)  within  6  months  of  appointment. 

(3)  IAM  will  comply  with  paragraphs  a(l)(a),  o(lXc),  and  a(l)(d),  above. 

(4)  IANO  will  comply  with  paragraphs  a(l)(a),  a(l)(c),  and  a(l)(d),  above. 

(5)  IASO  will— 

(a)  Complete  an  IASO  Course  within  6  months  of  appointment.  Methods  of  training  are  Web  based  (http:// 
ia.gordon.army.mil),  DISA  Information  Assurance  Policy  and  Technology  (1AP&T)  Web  Based  Training  at  http:// 
iase.disa.mil/eta/index.html),  Army  E-Leaming/CBT  IA  modules,  command  (or  other  Service)  course. 

(b)  Comply  with  paragraphs  o(l)(c)  and  a(l)(d),  above. 

(6)  SAs  will- 

fa;  Complete  introductory  training  (Level  I)  within  6  months  of  assuming  position.  SAs  will  be  certified  to  Level  I 
as  a  minimum.  Methods  of  training  are  Web  based  (https://ia.gordon.army.mil),  DISA  Information  Assurance  Policy 
and  Technology  (IAP&T)  Web  Based  Training  at  http://iase.disa.mil/eta/index.html),  Army  E-Leaming/CBT  IA  mod¬ 
ules,  or  command  (or  other  Service)  courses.  RClOs  or  command  IA  personnel  (as  applicable)  will  determine  if  limits 
on  SA  duties  warrant  certification  to  Level  I  only. 

(b)  Complete  technical  training  (Level  II)  SA  Security  Course  (schedules  available  at  http://ia.gordon.army.mil)  or  a 
Command-equivalent  course  within  6  months  of  assuming  position. 

(c)  Complete  advanced  training  (Level  III)  at  the  National  Guard  Bureau  (NGB)  Computer  Emergency  Response 
Team  Operational  Training  Experience  (CERT  OTE)  or  USAR  Computer  Network  Defense  Course  (CNDC)  courses, 
or  other  Service  or  agency  equivalents  as  required. 

(d)  Complete  applicable  DOD  technical  and  computing  environment  baseline  certifications. 

(e)  Comply  with  paragrapha(  1  )(c),  above. 

(7)  Contracting  officer’s  representatives  (CORs).  Contracting  officer’s  representatives  will  compare  contractor  quali¬ 
fications  to  the  statement  of  work/  performance  work  statement  requirements  to  ensure  contractor-nominated  IA  and 
SA  positions  meet  minimum  requirements  before  acceptance  for  employment.  If  the  personnel  provided  are  non- 
compliant  with  the  statement  of  work  requirements,  the  COR  will  notify  the  Contracting  Officer  for  implementation  of 
contract  remedies. 

(8)  IA  user  awareness  training.  IAMs,  SAs,  and  IASOs  will  ensure  that  a  user-training  program  is  in  place  for  all 
users  in  the  command.  Online  user  training  courses  can  be  found  https://ia.gordon.army.mil. 

(a)  All  users  must  receive  IA  awareness  training  tailored  to  the  system  and  information  accessible  before  issuance  of 
a  password  for  network  access.  The  training  will  include  the  following: 

1.  Threats,  vulnerabilities,  and  risks  associated  with  the  system.  This  portion  will  include  specific  information 
regarding  measures  to  reduce  malicious  logic  threats,  principles  of  shared  risk,  external  and  internal  threat  concerns, 
acceptable  use,  privacy  issues,  prohibitions  on  loading  unauthorized  software  or  hardware  devices,  and  the  requirement 
for  frequent  backups. 

2.  Information  security  objectives  (that  is,  what  needs  to  be  protected). 

J.  Responsibilities  and  accountability  associated  with  IA. 

4.  Information  accessibility,  handling,  and  storage  considerations. 
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5.  Physical  and  environmental  considerations  necessary  to  protect  the  system. 

6.  System  data  and  access  controls. 

7.  Emergency  and  disaster  plans. 

8.  Authorized  systems  configuration  and  associated  CM  requirements. 

9.  Incident,  intrusion,  malicious  logic,  virus,  abnormal  program,  or  system  response  reporting  requirements. 

10.  INFOCON  requirements  and  definitions. 

11.  AUP  requirements. 

(b)  Users  will  receive  annual  refresher  training  as  a  minimum  or  as  conditions  warrant. 

(9)  Vulnerability  assessment  certification.  1A  personnel  conducting  vulnerability  assessments  on  ISs  must  achieve 
VAT  certification  through  their  supporting  RCERT  or  TNOSC.  (This  is  not  equivalent  to  the  1AVM  program 
assessment  procedures.)  Additional  guidance  and  procedures  in  accordance  with  the  policy  can  be  found  on  the  1A 
BBP  Web  site. 

b.  Refresher  training.  Refresher  training  for  lAPMs,  lAMs,  lANMs,  lASOs,  and  SAs/NAs  will  be  attendance  at  an 
I A  workshop  every  18-24  months,  attendance  at  DOD-sponsored  1A  workshops,  completion  of  modules  in  Army 
E-Learning  1A  learning  path,  or  approved  commercial  courses.  Baseline  certifications  will  be  maintained  in  accordance 
with  the  requirements  of  the  certifying  body. 

c.  Substitutions  or  equivalencies. 

(1)  lAPMs,  lAMs,  lASOs,  and  lANMs  can  substitute  other  Service  or  Agency  courses  to  fulfill  these  requirements. 
Identify  the  substitute  course,  duration,  and  sponsor  when  tracking  completion  dates. 

(2)  SAs  and  lANMs  can  substitute  courses  to  fulfill  the  technical  training  (Level  II)  requirement. 

4-4.  Mission  assurance  category,  levels  of  confidentiality,  and  levels  of  robustness 

a.  Mission  assurance  category.  All  ISs  will  be  assigned  a  mission  assurance  category  that  reflects  the  importance  of 
the  information  relative  to  the  achievement  of  DOD  goals  and  objectives.  The  IS  mission  assurance  category  will  be 
determined  by  the  DOD  or  Army  proponent  and  agreed  upon  by  the  DIACAP  team.  The  MAC  level  is  used  to 
determine  the  1A  Controls  for  integrity  and  availability  in  accordance  with  DOD1  8500.2.  Refer  to  DODI  8500.2  (http:/ 
/iase.disa.mil/policy.html)  for  additional  detailed  guidance  and  procedures  for  defining  or  assigning  mission  assurance 
categories. 

(1)  MAC  I  is  a  high  integrity,  high  availability  for  DOD  ISs  handling  information  that  is  determined  to  be  vital  to 
the  operational  readiness  or  mission  effectiveness  of  deployed  and  contingency  forces  in  terms  of  both  content  and 
timeliness.  The  consequences  of  loss  of  integrity  or  availability  is  unacceptable  and  could  include  the  immediate  and 
sustained  loss  of  mission  effectiveness. 

(2)  MAC  II  is  a  high  integrity,  medium  availability  for  DOD  ISs  handling  information  that  is  important  to  the 
support  of  deployed  and  contingency  forces.  The  consequence  of  loss  of  integrity  is  unacceptable.  Loss  of  availability 
is  difficult  to  deal  with  and  can  only  be  tolerated  for  a  short  time. 

(3)  MAC  III  is  a  basic  integrity,  basic  availability  for  DOD  ISs  handling  information  that  is  necessary  for  the 
conduct  of  day-to-day  business,  but  does  not  materially  affect  support  to  deployed  or  contingency  forces  in  the  short¬ 
term.  The  consequences  of  loss  of  integrity  or  availability  can  be  tolerated  or  overcome  without  significant  impacts  on 
mission  effectiveness  or  operational  readiness. 

b.  Confidentiality  levels.  All  ISs  will  be  assigned  a  confidentiality  level  based  on  the  classification  or  sensitivity  of 
the  information  processed.  The  confidentiality  level  is  used  to  establish  acceptable  access  factors  and  to  determine  the 
DODI  8500.2  IA  Controls  applicable  to  the  information  system.  DOD  has  defined  the  following  three  confidentiality 
levels: 

(1)  Classified  —  Information  designated  top  secret,  secret  or  confidential  in  accordance  with  Executive  Order 
12356. 

(2)  Sensitive  —  Information  the  loss,  or  unauthorized  access  to  or  modification  of  could  adversely  affect  the 
national  interest  or  conduct  of  Federal  programs,  or  Privacy  Act  information.  Includes,  but  is  not  limited  to  For  Official 
Use  Only  (FOUO),  Privacy  data,  unclassified  controlled  nuclear  information,  and  unclassified  technical  data. 

(3)  Public  -  Information  has  been  reviewed  and  approved  for  public  release. 

c.  Levels  of  robustness.  All  ISs  will  employ  protection  mechanisms  that  satisfy  criteria  for  basic,  medium,  or  high 
levels  of  robustness  per  DODI  8500.2  and  Federal  Information  Processing  Standard  (FIPS)  140-2.  Each  IS  will  be 
managed  and  operated  to  achieve  the  appropriate  level  of  protection  for  the  applicable  functional  security  requirements. 

(1)  High  robustness.  High  robustness  is  the  security  services  and  mechanisms  that  provide  the  most  stringent 
protection  and  rigorous  security  countermeasures.  Generally,  high  robustness  technical  solutions  require  NSA-certified 
high-robustness  solutions  for  cryptography,  access  control  and  key  management,  and  high  assurance  security  design  as 
specified  in  NSA-endorsed  high  robustness  protection  profiles,  where  available. 

(2)  Medium  robustness.  Medium  robustness  is  security  services  and  mechanisms  that  provide  for  layering  of 
additional  safeguards  above  good  commercial  practices.  Medium  robustness  technical  solutions  require,  at  a  minimum, 
strong  (for  example,  crypto-based)  authenticated  access  control,  NSA-approved  key  management,  NIST  FIPS-validated 
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cryptography,  and  the  assurance  properties  as  specified  in  NSA-endorsed  medium  robustness  protection  profiles  or  the 
Protection  Profile  Consistency  Guidance  for  medium  robustness. 

(3)  Basic  robustness.  Basic  robustness  is  the  security  services  and  mechanisms  that  equate  to  best  commercial 
practices.  Basic  robustness  technical  solutions  require,  at  a  minimum,  authenticated  access  control,  NIST-approved  key 
management  algorithms,  NIST  FIPS-validated  cryptography,  and  the  assurance  properties  specified  in  NSA-endorsed 
basic  robustness  protection  profiles  or  the  Protection  Profile  Consistency  Guidance  for  Basic  Robustness. 

d.  Level  of  total  system  exposure.  The  appropriate  level  of  protection  for  each  functional  security  requirement  will 
be  determined  using  a  combination  of  the  mission  assurance  category,  level  of  confidentiality,  and  level  of  robustness. 

(1)  Each  IS  will  be  reviewed  against  the  mission  assurance  category  definitions  provided  in  DODI  8500.2,  Enclo¬ 
sure  2,  and  assigned  to  a  mission  assurance  category. 

(2)  Each  IS  will  be  assigned  a  confidentiality  level  based  on  the  classification  or  sensitivity  of  the  information 
processed,  stored,  or  transmitted. 

(3)  Determine  the  applicable  IA  controls  from  DODI  8500.2. 

(4)  The  identified  controls  for  the  level  of  total  system  exposure  serve  as  the  baseline  1A  requirements  for  C&A  or 
reaccreditation  and  will  be  reassessed  and  revalidated  every  3  years  as  a  minimum. 

4-5.  Minimum  information  assurance  requirements 

All  required  risk  analyses  will  evaluate  and  identify  possible  vulnerabilities  and  adverse  security  effects  on  associated 
ISs  and  networks.  Although  manual  procedures  are  acceptable  when  an  automated  safeguard  is  not  feasible,  IA 
personnel  will  embed  automated  security  safeguards  into  the  design  and  acquisition  of  ISs  to  ensure  a  secure 
infrastructure. 

a.  Prohibited  activities.  In  addition  to  the  prohibited  activities  listed  in  AR  25-1,  the  following  activities  are 
specifically  prohibited  by  any  authorized  user  on  a  Government  provided  IS  or  connection: 

(1)  Use  of  ISs  for  unlawful  or  unauthorized  activities  such  as  file  sharing  of  media,  data,  or  other  content  that 
is  protected  by  Federal  or  state  law,  including  copyright  or  other  intellectual  property  statutes. 

(2)  Installation  of  software,  configuration  of  an  IS,  or  connecting  any  ISs  to  a  distributed  computer  environ¬ 
ment  (DCE),  for  example  the  SETI  project  or  the  human  genome  research  programs. 

(3)  Modification  of  the  IS  or  software,  use  of  it  in  any  manner  other  than  its  intended  purpose,  or  adding 
user-configurable  or  unauthorized  software  such  as,  but  not  limited  to,  commercial  instant  messaging,  commer¬ 
cial  Internet  chat,  collaborative  environments,  or  peer-to-peer  client  applications.  These  applications  create 
exploitable  vulnerabilities  and  circumvent  normal  means  of  securing  and  monitoring  network  activity  and  provide  a 
vector  for  the  introduction  of  malicious  code,  remote  access,  network  intrusions  or  the  exfiltration  of  protected  data. 

(4)  Attempts  to  strain,  test,  circumvent,  or  bypass  network  or  IS  security  mechanisms,  or  to  perform  network 
or  keystroke  monitoring.  RCERTs,  Red  Team,  or  other  official  activities,  operating  in  their  official  capacities  only, 
may  be  exempted  from  this  requirement. 

(5)  Physical  relocation  or  changes  to  configuration  or  network  connectivity  of  IS  equipment. 

(6)  Installation  of  non-Government-owned  computing  systems  or  devices  without  prior  authorization  of  the 
appointed  DAA  including  but  not  limited  to  USB  devices,  external  media,  personal  or  contractor-owned  laptops, 
and  MCDs. 

(7)  Release,  disclose,  transfer,  possess,  or  alter  information  without  the  consent  of  the  data  owner,  the  original 
classification  authority  (OCA)  as  defined  by  AR  380-5,  the  individual’s  supervisory  chain  of  command,  Freedom  of 
Information  Act  (FOIA)  official,  Public  Affairs  Office,  or  disclosure  officer’s  approval. 

(8)  Sharing  personal  accounts  and  authenticators  (passwords  or  PINs)  or  permitting  the  use  of  remote  access 
capabilities  through  Government  provided  resources  with  any  unauthorized  individual. 

(9)  Disabling  or  removing  security  or  protective  software  and  other  mechanisms  and  their  associated  logs 
from  IS. 

b.  Accreditation.  ISs  and  networks  will  be  accredited  in  accordance  with  interim  DOD  and  Army  DIACAP 
documentation  and  Army  supplemental  networthiness  guidance. 

c.  Access  control.  IA  personnel  will  implement  system  and  device  access  controls  using  the  principle  of  least 
privilege  (POLP)  via  automated  or  manual  means  to  actively  protect  the  IS  from  compromise,  unauthorized  use  or 
access,  and  manipulation.  IA  personnel  will  immediately  report  unauthorized  accesses  or  attempts  to  their  servicing 
RCERT  in  accordance  with  Section  VIII,  Incident  and  Intrusion  reporting.  Commanders  and  DAAs  will — 

(1)  Enforce  users’  suspensions  and  revocation  for  violations  of  access  authorization  or  violation  in  accordance  with 
para  3-3c(13). 

(2)  Develop  the  approval  processes  for  specific  groups  and  users. 

(3)  Validate  individual  security  investigation  (or  approve  interim  access)  requirements  before  authorizing  IS  access 
by  any  user. 

(4)  Verify  systems  are  configured  to  automatically  generate  an  auditable  record  or  log  entry  for  each  access  granted 
or  attempted. 
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(5)  Validate  that  systems  identify  users  through  the  user’s  use  of  unique  user  identifications  (USERIDs). 

(6)  Validate  that  systems  authenticate  users  through  the  use  of  the  CAC  as  a  two-factor  authentication  mechanism. 
The  CAC  has  certificates  on  the  integrated  circuit  chip  (ICC),  and  will  be  used  as  the  primary  user  identifier  and  access 
authenticator  to  systems. 

(7)  Validate  system  configurations  to  authenticate  user  access  to  all  systems  with  a  minimum  of  a  USERID  and  an 
authenticator  when  the  systems  are  incapable  of  CAC  enablement  until  these  are  replaced.  An  authenticator  may  be 
something  the  user  knows  (password),  something  the  user  possesses  (token),  or  a  physical  characteristic  (biometric). 
The  most  common  authenticator  is  a  password. 

(8)  Verify  that  system  configurations  use  password-protected  screen  savers,  screen  locks,  or  other  lockout  features  to 
protect  against  unauthorized  access  of  ISs  during  periods  of  temporary  non-use.  Ensure  such  mechanisms  automatically 
activate  when  a  terminal  is  left  unattended  or  unused.  The  DOD  activation  standard  is  established  at  15  minutes. 
Establish  a  shorter  period  when  IS  are  used  in  a  multinational  or  coalition  work  area.  In  instances  where  the  unattended 
lockout  feature  hinders  operations,  for  example;  standalone  briefing  presentation  systems,  medical  triage  devices,  or 
operating  room  systems  status;  the  DAA  and  SO  can  approve  longer  timeouts  as  an  exception  only  when  it  imposes  a 
minimum  of  risk,  other  control  mechanisms  are  enabled  to  mitigate  these  risks,  and  documented  in  the  C&A  package. 
However  the  timeout  feature  will  never  be  disabled  and  the  system  will  never  remain  unattended  during  this  extended 
use  period.  Exceptions  will  never  be  granted  for  matters  of  convenience  or  ease  of  use. 

(9)  Validate  that  system  configurations  prohibit  anonymous  accesses  or  accounts  (for  example.  Student  1,  Student2, 
Patron  1,  Patron2,  anonymous). 

(10)  Prohibit  the  use  of  generic  group  accounts.  Permit  exceptions  only  on  a  case-by-case  basis  when  supporting  an 
operational  or  administrative  requirement  such  as  watch-standing  or  helpdesk  accounts,  or  that  require  continuity  of 
operations,  functions,  or  capabilities.  lAMs  will  implement  procedures  to  identify  and  audit  users  of  group  accounts 
through  other  operational  mechanisms  such  as  duty  logs. 

(11)  Verify  that  system  configurations  limit  the  number  of  user  failed  log-on  attempts  to  three  before  denying  access 
to  (locking)  that  account,  when  account  locking  is  supported  by  the  IS  or  device.  If  IS-supported,  the  system  will 
prevent  rapid  retries  when  an  authenticator  is  incorrectly  entered  and  gives  no  indications  or  error  messages  that  either 
the  authenticator  or  ID  was  incorrectly  entered  (for  example,  implement  time  delays  between  failed  attempts). 

(12)  Verify  that  system  configurations  generate  audit  logs,  and  investigate  security  event  violations  when  the 
maximum  number  of  authentication  attempts  is  exceeded,  the  maximum  number  of  attempts  from  one  IS  is  exceeded, 
or  the  maximum  number  of  failed  attempts  over  a  set  period  is  exceeded. 

(13)  Reinstate  accesses  only  after  the  appropriate  I A  (for  example,  SA/NA)  personnel  have  verified  the  reason  for 
failed  log-on  attempts  and  have  confirmed  the  access-holder’s  identity.  Permit  automatic  account  unlocking,  for 
example,  after  an  established  time  period  has  elapsed,  as  documented  in  the  C&A  package  and  approved  by  the  DAA, 
based  on  sensitivity  of  the  data  or  access  requirements. 

(14)  If  documented  in  the  C&A  package  and  authorized  by  the  DAA,  time-based  lockouts  (that  is,  access  is 
restricted  based  on  time  or  access  controls  based  on  IP  address,  terminal  port,  or  combinations  of  these)  and  barriers 
that  require  some  time  to  elapse  to  enable  bypassing  may  be  used.  In  those  instances  the  DAA  will  specify,  as  a 
compensatory  measure,  the  following  policies: 

(a)  Implement  mandatory  audit  trails  to  record  all  successful  and  unsuccessful  log-on  attempts. 

(b)  Within  72  hours  of  any  failed  log-on  and  user  lockout,  IA  personnel  will  verify  the  reason  for  failure  and 
implement  corrective  actions  or  report  the  attempted  unauthorized  access. 

(c)  The  SA  will  maintain  a  written  record  of  all  reasons  for  failure  for  1  year. 

(15)  Enforce  temporary  disabling  of  all  accounts  for  deployed  forces  on  garrison  networks  unless  the  accounts  are 
operationally  required. 

(16)  Create  and  enforce  procedures  for  suspending,  changing,  or  deleting  accounts  and  access  privileges  for 
deployed  forces  in  the  event  of  capture,  loss,  or  death  of  personnel  having  network  privilege-level  access. 

(17)  Create  and  enforce  access  auditing,  and  protect  physical  access  control  events  (for  example,  card  reader 
accesses)  and  audit  event  logs  for  physical  security  violations  or  access  controls  to  support  investigative  efforts  as 
required. 

d.  Remote  access  (RAJ. 

(1)  Systems  being  used  for  remote  access  must  meet  security  configurations  to  include  IAVM,  certification  and 
accreditation  standards,  and  will  employ  host-based  security,  for  example  a  firewall  and  IDS,  with  AV  software  before 
authorization  to  connect  to  any  remote  access  server.  Security  configurations  will  be  reviewed  quarterly. 

(2)  Encrypt  log-in  credentials  as  they  traverse  the  network  as  required  for  the  level  of  information  being  accessed  or 
required  for  need-to-know  separation. 

(3)  Encrypt  all  RA  for  network  configuration  or  management  activities  regardless  of  classification  level,  device,  or 
access  method. 

(4)  Users  will  protect  RA  ISs  and  data  consistent  with  the  level  of  information  retrieved  during  the  session. 
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(5)  Disable  remote  device  password  save-functions  incorporated  within  software  or  applications  to  prevent  storage 
of  plain  text  passwords. 

(6)  Remote  access  users  will  read  and  sign  security  and  end-user  agreements  for  remote  access  annually  as  a 
condition  for  continued  access. 

e.  Remote  access  servers  (RASs). 

(1)  Secure  remote  terminal  devices  consistent  with  the  mode  of  operation  and  sensitivity  of  the  information  and 
implement  non-repudiation  measures  when  necessary. 

(2)  Any  IS  that  provides  RAS  capabilities  will  employ  host-based  firewalls  and  intrusion  detection  systems  to  detect 
unauthorized  access  and  to  prevent  exploitation  of  network  services. 

(3)  Any  RAS  being  accessed  remotely  will  employ  a  “Time-Out”  protection  feature  that  automatically  disconnects 
the  remote  device  after  a  predetermined  period  of  inactivity  has  elapsed,  dependent  on  classification  level  of  the 
information,  but  no  longer  than  10  minutes. 

(4)  Remote  access  users  will  be  required  to  authenticate  all  dial-in  operations  with  a  unique  USERID  and  password, 
compliant  with  the  remote  authentication  dial-in  user  system  (RADIUS)  standard. 

(5)  All  RAs  will  terminate  at  a  centrally  managed  access  point  located  within  a  demilitarized  zone  (DMZ)  that  is 
configured  to  log  user  activities  during  a  session. 

(6)  Prohibit  all  RA  (that  is,  virtual  private  network  (VPN),  dial-in)  to  individual  ISs  within  an  enclave  (that  is, 
behind  the  DMZ  firewall). 

(7)  DOIMs  and  IAMs  must  ensure  all  remote  access  servers  (RASs)  undergo  CM  and  C&A  processes. 

(8)  Stand  alone  dial-back  modems  and  modem  systems  that  authenticate  using  RADIUS  are  the  only  allowable  dial- 
in  modems. 

(9)  Physical  security  for  the  terminal  will  meet  the  requirements  for  storage  of  data  at  the  highest  classification  level 
received  at  the  terminal  and  must  be  implemented  within  a  restricted  access  area. 

(10)  Data  between  the  client  and  the  RAS  will  be  encrypted  to  provide  confidentiality,  identification,  non-repudia¬ 
tion  and  authentication  of  the  data.  The  CAC  provides  the  user  with  an  official  certificate. 

(11)  Approved  telework  or  telecommuting  access  will  be  in  accordance  with  established  DOIM,  RCIO,  and 
NETCOM/9th  SC  (A)  C&A  access  procedures  from  a  Government  provided  system  only.  Ad  hoc  telework  access 
(defined  as  one-time,  informal,  or  on  an  infrequent  basis)  will  be  through  existing  and  approved  external  access 
methods  or  portals  such  as  Terminal  Server  Access  Control  System  (TSACS)  or  the  Army  Knowledge  Online  (AKO) 
Web  site. 

(12)  Outside  the  continental  United  States  (OCONUS)  telework  procedures  and  authorization  will  be  approved  by 
the  DAA  and  RCIO  on  a  case-by-case  basis  and  documented  in  the  C&A  package. 

(13)  Audit  all  RAS  connections  at  a  minimum  weekly. 

(14)  Review  RAS  devices  biweekly  for  security  configuration,  patches,  updates,  and  1AVM  compliance. 

f.  Configuration  management  requirements.  The  following  policy  will  be  the  minimum  used  for  the  CM  of  all 
systems: 

(1)  All  CM  plans  will  include  a  maintenance  and  update  strategy  to  proactively  manage  all  IS  and  networks  with  the 
latest  security  or  application  updates.  While  1AVM  is  part  of  a  CM  strategy,  it  is  not  all-inclusive  for  every  IS  in  use  in 
the  Army.  All  ISs  will  have  a  vulnerability  management  strategy  for  testing  and  maintaining  patches,  updates,  and 
upgrades. 

(2)  Hardware  and  software  changes  to  an  accredited  IS,  with  an  established  baseline,  will  be  effected  through  the 
CM  process. 

(3)  The  CCB  or  the  CMB  for  a  site  must  approve  modifying  or  reconfiguring  the  hardware  of  any  computer  system. 
Hardware  will  not  be  connected  to  any  system  or  network  without  the  express  written  consent  of  the  IAM  and  the 
CMB  or  CCB.  In  the  absence  of  a  CCB  or  CMB,  the  appropriate  commander  or  manager  will  provide  the  consent  on 
the  advice  of  the  cognizant  IA  official. 

(4)  Modifying,  installing,  or  downloading  of  any  software  on  any  computer  system  may  affect  system  C&A  and 
must  be  evaluated  and  approved  by  the  IAM  with  the  local  CMB,  CCB,  and  DAA. 

(5)  Configuration  management  controls,  including  version  controls,  will  be  maintained  on  all  software  development 
efforts;  RDT&E  activities;  follow-on  test  and  evaluation  (FOT&E)  activities;  and  other  related  tests  by  the  software 
designer.  A  CM  “baseline  image”  will  be  created,  documented,  kept  current,  and  maintained  by  network  and  system 
administration  personnel  for  all  ISs  within  their  span  of  control.  Exceptions  to  this  baseline  image  will  be  documented 
in  the  C&A  package  and  approved  by  the  DAA. 

(6)  The  minimum  baseline  configuration  for  ISs  will  be  the  published  Security  Technical  Implementation  Guide 
(ST1G)  requirements  or  the  common  criteria  protection  profiles  for  IA  products,  as  available  or  supplemented  and 
published  by  DOD  and  NETCOM/9th  SC  (A),  with  any  changes  documented.  STIGS  are  located  at:  http://iase.disa.mil/ 
stigs/index.html. 

(7)  Prohibit  default  installations  of  “out  of  the  box”  configurations  of  COTS  purchased  products.  COTS  purchased 
products  will  require  system  CM  and  IAVM  compliance  as  a  minimum.  Comprehensive  vulnerability  assessments  of 
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the  test  IS  will  be  conducted  and  documented  before  and  after  installation  of  any  COTS  products  under  consideration 
for  CM  review  or  approval. 

(8)  Upon  acceptance  for  operational  use  (whether  developmental,  GOTS,  or  COTS),  keep  software  under  close  and 
continuous  CM  controls  to  prevent  unauthorized  changes. 

(9)  ISs  must  meet  minimum  levels  of  total  system  exposure.  See  paragraph  4-4  and  DODI  8500.2  to  establish  IA 
baseline  requirements. 

g.  Assessments.  Commanders  will  verify  that  IA  personnel  conduct  initial  and  continual  assessments  to  detect  IS  and 
network  vulnerabilities  using  approved  tools,  tactics,  and  techniques  to  facilitate  the  risk  management  process  and  to 
ensure  compliance  with  network  management,  CM,  IAVM  requirements,  and  security  policies  and  procedures.  Com¬ 
manders  and  IA  personnel  will  ensure  that  all  networks  and  networked  ISs  undergo  a  self-assessed,  vulnerability 
assessment  scan  quarterly.  Prohibit  the  use  of  commercial  scanning  services  or  vendors  without  the  CIO/G6’s  chief 
information  security  officer’s  (CISO)  approval. 

h.  Auditing.  SAs  will  configure  ISs  to  automatically  log  all  access  attempts.  Audits  of  IS  will  be  either  automated  or 
manual  means.  SAs  will  implement  audit  mechanisms  for  those  ISs  that  support  multiple  users. 

(1)  Use  audit  servers  to  consolidate  system  audit  logs  for  centralized  review  to  remove  the  potential  for  unauthorized 
editing  or  deletion  of  audit  logs  in  the  event  of  an  incident  or  compromise. 

(2)  Commands,  organizations,  tenants,  activities,  and  installations  will  support  centralized  audit  server  implementa¬ 
tions  in  the  enterprise. 

(3)  Centralized  audit  servers  logs  will  be  maintained  for  a  minimum  of  1  year. 

(4)  Conduct  self-inspections  by  the  respective  SA/NA  or  IA  manager. 

(5)  Enable  and  refine  default  IS  logging  capabilities  to  identify  abnormal  or  potentially  suspicious  local  or  network 

activity - 

(a)  Investigate  all  failed  login  attempts  or  account  lockouts. 

(b)  Maintain  audit  trails  in  sufficient  detail  to  reconstruct  events  in  determining  the  causes  of  compromise  and 
magnitude  of  damage  should  a  malfunction  or  a  security  violation  occurs.  Maintain  system  audit  logs  locally  for  no 
less  than  90  days. 

(c)  Retain  classified  and  sensitive  IS  audit  files  for  1  year  (5  years  for  SCI  systems,  depending  on  storage 
capability). 

(d)  Provide  audit  logs  to  the  ACERT,  Army-Global  Network  Operations  and  Security  Center  (A-GNOSC),  LE,  or 
Cl  personnel  to  support  forensic,  criminal,  or  counter-intelligence  investigations  as  required. 

(e)  Review  logs  and  audit  trails  at  a  minimum  weekly,  more  frequently  if  required,  and  take  appropriate  actions. 

/.  Contingency  planning.  A  contingency  plan  is  a  plan  for  emergency  response,  backup  operations,  transfer  of 

operations,  and  post-disaster  recovery  procedures  maintained  by  an  activity  as  a  part  of  its  IA  security  program. 
Commanders  will  create  and  practice  contingency  plans  for  each  IS  (a  single  IS  or  local  area  netwrok  (LAN))  for 
critical  assets  as  identified  by  the  data  owner  or  commander  to  support  continuity  of  operations  planning  (COOP).  See 
DA  Pam  25-1-2  for  additional  guidance  and  procedures  for  developing  contingency  plans.  Exercise  contingency  plans 
annually. 

j.  Data  integrity. 

(1)  Implement  safeguards  to  detect  and  minimize  unauthorized  access  and  inadvertent,  malicious,  or  non-malicious 
modification  or  destruction  of  data. 

(2)  Implement  safeguards  to  ensure  that  security  classification  levels  remain  with  the  transmitted  data. 

(3)  DAA  will  identify  data  owners  for  each  database  on  their  networks.  Only  the  original  classification  authority 
(OCA)  is  authorized  to  change  the  data  classification. 

(4)  DAA  will  develop  and  enforce  policies  and  procedures  to  routinely  or  automatically  backup,  verify,  and  restore 
(as  required)  data,  ISs,  or  devices  at  every  level.  These  policies  and  procedures  will  be  captured  in  the  C&A  package. 

(5)  Use  data  or  data  sources  that  have  verifiable  or  trusted  information.  Examples  of  trusted  sources  include,  but  are 
not  limited  to,  information  published  on  DOD  and  Army  sites  and  vendor  sites  that  use  verified  source  code  or 
cryptographic  hash  values. 

(6)  Protect  data  at  rest  (for  example,  databases,  files)  to  the  classification  level  of  the  information  with  authorized 
encryption  and  strict  access  control  measures  implemented. 

k.  C&A  package.  The  C&A  package  will  be  available  to  the  site-assigned  IASO  for  the  life  of  each  IS  or  LAN, 
including  operational,  prototype,  test,  or  developmental  systems.  This  C&A  package  will  include  at  a  minimum  the 
System  Identification  Profile  (SIP),  Scorecard,  and  plan  of  action  and  milestones  (POA&M). 

/.  IA  product  acquisition.  All  security-related  COTS  hardware,  firmware,  and  software  components  (excluding 
cryptographic  modules)  required  to  protect  ISs  will  be  acquired  in  accordance  with  public  law  and  will  have  been 
evaluated  and  validated  in  accordance  with  appropriate  criteria,  schemes,  or  protection  profiles  (http://www.nia- 
p.nist.gov/)  and  this  regulation.  IA  products  listed  on  the  IA  Approved  Products  List  (APL)  available  on  the  IA 
website,  will  be  evaluated/selected  first,  and  then  procured  through  Army  Computer  Hardware,  Enterprise,  Software 
and  Solutions  contract  vehicles  before  other  I A  products  are  procured.  For  PEO/PM’s,  the  CSLA  BPA  requirements 
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only  applies  to  the  procurement  of  COMSEC  devices.  All  GOTS  products  will  be  evaluated  by  NSA  or  in  accordance 
with  NSA-approved  processes.  NETCOM/9th  SC  (A)  and  ClO/G-6  may  approve  exceptions  to  IA  products  evaluations 
when  no  criteria,  protection  profile,  or  schema  exists  or  is  under  development,  and  the  removal  or  prohibition  of  such 
an  1A  product  would  significantly  degrade  or  reduce  the  ability  of  personnel  to  secure,  manage,  and  protect  the 
infrastructure. 

m.  Notice  and  consent  procedures.  Commanders  will  verify  that  all  computers  under  their  control,  independently, 
prominently  and  completely  display  the  Notice  and  Consent  Banner  immediately  upon  users’  authentication  to  the 
system,  including,  but  not  limited  to,  web,  ftp,  telnet,  or  other  services  access. 

(1)  General  Notification:  Army  users  of  DOD  telecommunications  systems  or  devices  are  advised  that  DOD 
provides  such  systems  and  devices  for  conducting  authorized  use.  Users  are  subject  to  telecommunications  monitoring, 
including  their  personal  communications  and  stored  information. 

(2)  Using  Government  telecommunications  systems  and  devices  constitutes  the  user’s  consent  to  monitoring. 

(3)  Users  will  be  advised  that  there  is  no  expectation  of  privacy  while  using  ISs  or  accessing  Army  resources. 

(4)  The  user  must  take  a  positive  action  to  accept  the  terms  of  the  notice  and  consent  warning  banner  before  a 
successful  logon  is  completed. 

(5)  Post  appropriate  warning  banners  and  labels  in  accordance  with  this  regulation. 

(6)  The  following  access  warning  banner  replaces  the  warning  banner  in  AR  380-53  and  will  not  be  modified 
further.  The  banner  to  be  posted  on  Army  networks,  systems,  and  devices  will  state — 

(7)  “YOU  ARE  ACCESSING  A  U.S.  GOVERNMENT  (USG)  INFORMATION  SYSTEM  (IS)  THAT  IS  PRO¬ 
VIDED  FOR  USG- AUTHORIZED  USE  ONLY.”  By  using  this  IS  (which  includes  any  device  attached  to  this  IS),  you 
consent  to  the  following  conditions:  The  USG  routinely  intercepts  and  monitors  communications  on  this  IS  for 
purposes  including,  but  not  limited  to,  penetration  testing,  COMSEC  monitoring,  network  operations  and  defense, 
personnel  misconduct  (PM),  law  enforcement  (LE),  and  counterintelligence  (Cl)  investigations.  At  any  time,  the  USG 
may  inspect  and  seize  data  stored  on  this  IS.  Communications  using,  or  data  stored  on,  this  IS  are  not  private,  are 
subject  to  routine  monitoring,  interception,  and  search,  and  may  be  disclosed  or  used  for  any  USG-authorized  purpose. 
This  IS  includes  security  measures  (e.g.,  authentication  and  access  controls)  to  protect  USG  interests-not  for  your 
personal  benefit  or  privacy.  Notwithstanding  the  above,  using  this  IS  does  not  constitute  consent  to  PM,  LE,  or  Cl 
investigative  searching  or  monitoring  of  the  content  of  privileged  communications,  or  work  product,  related  to  personal 
representation  or  services  by  attorneys,  psychotherapists,  or  clergy,  and  their  assistants.  Such  communications  and  work 
product  are  private  and  confidential.  See  User  Agreement  for  details. 

(8)  For  those  personal  computing  devices  such  as  Blackberries  and  other  PDAs  that  have  technical  limitations  to  the 
full  banner,  then  the  only  approved  solution  will  be:  “I’ve  read  &  consent  to  terms  in  IS  user  agreem’t.” 

(9)  For  media  devices,  services,  protocols,  and  other  limited  text  input  requirements  other  than  PDA  devices 
requiring  access,  such  as  routers,  firewalls,  bannered  access  ports,  and  so  forth.  This  banner  will  be  “Subject  to  Army 
Warning  banner  in  AR  25-2,  4-5/n(7).” 

n.  Virus  protection.  Implement  the  virus  protection  guidance  provided  below  on  all  ISs  and  networks,  regardless  of 
classification  or  purpose — - 

(1)  Users  and  SAs  will  scan  all  files,  removable  media,  and  software,  including  new  “shrink-wrapped”  COTS 
software,  with  an  installed  and  authorized  AV  product  before  introducing  them  onto  an  IS  or  network.  Files,  media  and 
software  found  to  be  infected  with  a  virus  will  be  reported  by  users  to  the  SA, 

(2)  To  minimize  the  risks  of  viruses,  implement  the  following  countermeasures: 

(a)  SAs  will  configure  all  ISs  with  a  current  and  supportable  version  of  the  AV  software  configured  to  provide  real¬ 
time  protection  from  the  approved  products  list  with  automated  updates  and  reporting  enabled. 

(b)  IA  personnel  should  take  the  multilevel  approach  to  virus  detection  by  installing  one  AV  package  on  the 
workstations  and  a  different  AV  package  on  the  servers. 

(c)  SAs  will  update  virus  definitions  at  a  minimum  weekly,  or  as  directed  by  the  ACERT  for  immediate  threat 
reduction.  Virus  definition  availability  is  based  on  vendors’  capabilities.  IA  personnel  will  institute  automated  antivirus 
definition  updates  as  published  or  available  from  authorized  DOD  or  Army  sites. 

(3)  IA  personnel  will  train  users  to  recognize  and  report  virus  symptoms  immediately. 

(4)  IAMs  will  implement  virus-reporting  procedures  to  support  DOD  and  Army  reporting  requirements. 

o.  Mobile  code. 

( 1 )  Mobile  code  is  executable  software,  transferred  across  a  network,  downloaded,  and  executed  on  a  local  system 
without  notification  to,  or  explicit  installation  and  execution  by,  the  recipient. 

(2)  Mobile  code  has  the  potential  to  severely  degrade  operations  if  improperly  used  or  controlled.  The  objective  of 
the  mobile  code  security  policy  is  to  deny  untrusted  mobile  code  the  ability  to  traverse  the  Army  enterprise.  As  a 
minimum,  the  Army  mobile  code  mitigation  policy  will  be  implemented  to  support  the  DOD  mobile  code  policy. 
Untrusted  mobile  code  will  not  be  allowed  to  traverse  the  enterprise  unless  NETCOM/9th  SC  (A)  CCB-approved 
mitigating  actions  have  been  emplaced. 


p.  Layering. 
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(1)  Layering  is  a  process  of  implementing  similar  security  configurations  or  mechanisms  at  multiple  points  in  an  IS 
architecture.  Doing  so  eliminates  single  points  of  failure,  provides  redundant  capabilities,  increases  access  granularity 
and  auditing,  and  implements  an  effective  computer  or  network  attack  detection  and  reaction  capability. 

(2)  The  Army  enterprise  1A  security  DiD  structure  requires  a  layering  of  security  policies,  procedures,  and  technolo¬ 
gy,  including  best  practices  such  as  redundant  capabilities  or  use  of  alternative  operating  systems,  to  protect  all  network 
resources  within  the  enterprise.  Layered  defenses  at  the  boundaries,  for  example,  include,  but  are  not  limited  to  using 
inbound  and  outbound  proxy  services,  firewalls,  IDSs,  IPSs,  and  DMZs. 

q.  Filtering.  Filtering  policies  will  block  ingress  and  egress  services,  content,  sources,  destinations,  ports,  and 
protocols  not  required  or  authorized  across  the  enterprise  boundary.  Router  and  firewall  access  control  lists  (ACLs) 
provide  a  basic  level  of  access  control  over  network  connections  based  on  security  or  operational  policy. 

(1)  Filtering  at  the  enterprise  boundary  is  the  primary  responsibility  of  the  NETCOM/9th  SC  (A)  TNOSCs  using 
tools  and  techniques  applied  at  the  enterprise  level. 

(2)  At  all  levels  subordinate  to  NETCOM/9th  SC  (A),  filtering  policies  and  technology  will  be  implemented  and 
layered  throughout  the  architecture  and  enforced  at  all  capable  devices.  Audit  and  system  or  device  generated  event 
logs  will  be  provided  to  NETCOM/9th  SC  (A).  These  policies  should  be  complementary. 

(3)  Filtering  products  and  techniques  are  intended  to  proactively  reduce  ingress  and  egress  security  threats  to 
enterprise  systems  and  information  without  targeting  specific  individuals.  The  most  common  threats  are  associated  with 
malicious  content,  misuse,  security  policy  violations,  content  policy  violations,  or  criminal  activity.  Threat  mitigation 
policies  will  be  incorporated,  configured,  and  monitored  to  reduce  or  identity  these  threats  and  include,  but  are  not 
limited  to,  ACL  configuration  on  routing  devices  to  prevent  access  to  unauthorized  sites,  AV  installations,  cache  or 
proxy  servers  (to  maintain  connection  state),  firewalls,  mail  exchange  configurations  (for  example,  auto-deletion  of 
attachments),  network  monitoring  software  such  as  IDS  or  Intrusion  Prevention  System  (IPS)  configured  to  terminate 
suspicious  traffic,  content  management,  or  web  filtering  applications. 


r.  A  UP. 


(1)  Commanders  and  Directors  will  implement  an  AUP  for  all  user  accesses  under  their  control  (see  the  sample 
AUP  at  appendix  B). 

(2)  Users  will  review  and  sign  an  AUP  prior  to  or  upon  account  activation.  Digital  signatures  are  authorized. 

(3)  1A  personnel  will  maintain  documented  training  records. 

(4)  DOD  policy  states  that  Federal  Government  communication  systems  and  equipment  (including  Government- 
owned  telephones,  facsimile  machines,  electronic  mail,  internet  systems,  and  commercial  systems),  when  use  of  such 
systems  and  equipment  is  paid  for  by  the  Federal  Government,  will  be  for  official  use  and  authorized  purposes  only. 

(5)  Official  use  includes  emergency  communications  and  communications  necessary  to  carry  out  the  business  of  the 
Federal  Government.  Official  use  can  also  include  other  use  authorized  by  a  theater  commander  for  Soldiers  and 
civilian  employees  deployed  for  extended  periods  away  from  home  on  official  business. 

(6)  Authorized  purposes  include  brief  communications  by  employees  while  they  are  traveling  on  Government 
business  to  notify  family  members  of  official  transportation  or  schedule  changes.  Authorized  purposes  can  also  include 
limited  personal  use  established  by  appropriate  authorities  under  the  guidelines  of  the  Joint  Ethics  Regulation  (DOD 
5500.7-R). 

(7)  Certain  activities  are  never  authorized  on  Army  networks.  AUPs  will  include  the  following  minimums  as 
prohibited.  These  activities  include  any  personal  use  of  Government  resources  involving:  pornography  or  obscene 
material  (adult  or  child);  copyright  infringement  (such  as  the  sharing  of  copyright  material  by  means  of  peer-to-peer 
software);  gambling;  the  transmission  of  chain  letters;  unofficial  advertising,  soliciting,  or  selling  except  on  authorized 
bulletin  boards  established  for  such  use;  or  the  violation  of  any  statute  or  regulation. 

s.  Monitoring  networks. 

(1)  Network  monitoring  includes  any  of  a  number  of  actions  by  1A  personnel  aimed  at  ensuring  proper  performance 
and  management.  When  any  of  these  monitoring  activities  involve  intercepting  (capturing  in  real  time)  the  contents  of 
wire  or  electronic  communications,  they  must  fall  within  the  limits  of  the  service  provider  exception  to  the  Federal 
wiretap  statute.  The  service  provider  exception  allows  system  and  network  administrators  to  intercept,  use,  and  disclose 
intercepted  communications  as  long  as  the  actions  are  conducted  in  the  normal  course  of  employment  and  the  SA/NA 
is  engaged  in  an  activity  that  is  necessary  to  keep  the  service  operational  or  to  protect  the  rights  or  property  of  the 
service  provider.  Therefore,  IA  personnel  must  consult  with  legal  counsel  to  ensure  that  their  activities  involving 
systems  management  and  protection  are  properly  authorized. 

(2)  IA  personnel  performing  ingress  and  egress  network  monitoring  or  filtering  activities  are  authorized  to  use  CIO/ 
G-6-approved  automated  monitoring  tools  maintained  and  configured  by  NETCOM/9th  SC  (A)  as  network  devices  to 
aid  in  the  performance  and  management.  It  is  important  to  recognize  that  the  SA/NA  does  not  have  unlimited  authority 
in  the  use  of  these  network  monitoring  tools.  The  approved  tool  may  contain  technical  capabilities  beyond  those  tasks 
for  which  the  tool  was  approved;  as  such  the  IA  personnel  must  ensure  that  approved  tools  are  used  only  for  their 
intended  purpose. 
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(3)  IA  personnel  will  not  use  unapproved  IA  tools,  use  IA  tools  for  unapproved  purposes,  or  misuse  auto¬ 
mated  IA  tools.  Violations  will  be  reported  through  appropriate  command  channels  to  the  CIO/G-6.  Exceptions  to  the 
configuration  of  these  devices  will  be  approved  on  a  case-by-case  basis  by  NETCOM/9th  SC  (A). 

(4)  In  general  terms,  IA  personnel  and  SAs/NAs  do  not  engage  in  blanket  network  monitoring  of  internal  communi¬ 
cations.  However,  the  Army  reserves  the  right  at  any  time  to  monitor,  access,  retrieve,  read,  or  disclose  internal 
communications  when  a  legitimate  need  exists  that  cannot  be  satisfied  by  other  means  pursuant  to  para  4-5/,  below. 

(5)  As  a  matter  of  normal  auditing,  SAs/NAs  may  review  web  sites  logs,  files  downloaded,  ingress  and  egress 
services  and  similar  audited  or  related  information  exchanged  over  connected  systems.  Supervisors  and  managers  may 
receive  reports  detailing  the  usage  of  these  and  other  internal  information  systems,  and  are  responsible  for  determining 
that  such  usage  is  both  reasonable  and  authorized. 

(6)  As  a  matter  of  normal  auditing,  SAs/NAs  may  store  all  files  and  messages  through  routine  back  ups  to  tape, 
disk,  or  other  storage  media.  This  means  that  information  stored  or  processed,  even  if  a  user  has  specifically  deleted  it, 
is  often  recoverable  and  may  be  examined  at  a  later  date  by  SAs/NAs  and  others  permitted  by  lawful  authority. 

(7)  SA/NAs  may  provide  assistance  to  Army  supervisory  and  management  personnel,  under  lawful  authority,  to 
examine  archived  electronic  mail,  personal  computer  file  directories,  hard  disk  drive  files,  and  other  information  stored 
on  ISs.  This  information  may  include  personal  data.  Such  examinations  are  typically  performed  to  assure  compliance 
with  internal  policies;  support  the  performance  of  administrative  investigations;  and  assist  in  the  management  and 
security  of  data  and  ISs. 

(8)  When  IA  personnel  discover  information  during  the  course  of  their  normal  activity  that  indicates  a  violation  of 
acceptable  use  or  a  possible  criminal  offense,  they  will  immediately  report  the  finding  to  their  Commander.  The 
commander  will  immediately  report  known  or  suspected  criminal  activity  to  LE  and  will  consult  with  legal  counsel 
concerning  activities  that  appear  merely  to  violate  acceptable  use.  IA  personnel  will  retain  and  provide  information 
related  to  the  matter  to  LE  when  required. 

(9)  With  the  exceptions  of  the  SA/NA  as  identified  below,  Army  personnel  and  contractors  are  prohibited 
from  browsing  or  accessing  other  user’s  e-mail  accounts. 

(10)  The  SA/NA  may  only  intercept,  retrieve,  or  otherwise  recover  an  e-mail  message  and  any  attachments  thereto, 
only  under  the  following  circumstances: 

(a)  With  consent  (expressed  or  implied)  of  a  party  to  the  communication  involved. 

(b)  In  response  to  a  request  for  technical  assistance  from: 

/.  LE/CI  personnel  pursuant  to  a  properly  authorized  LE/CI  investigation. 

2.  A  supervisor  as  part  of  a  non-investigatory  management  search  in  accordance  with  paragraph  4-5/,  below. 

3.  An  investigating  officer  pursuant  to  a  properly  authorized  administrative  investigation  (for  example,  a  preliminary 
inquiry  under  Rule  for  Courts-Martial  303,  an  informal  investigation  under  AR  15-6,  or  a  preliminary  inquiry  under 
AR  380-5). 

4.  Information  systems  security  monitoring  personnel  pursuant  to  properly  authorized  IS  security  monitoring 
activities. 

5.  Inspector  General  personnel  pursuant  to  an  authorized  inspection,  investigation,  or  inquiry. 

(11)  The  SA/NA  may  remove  any  e-mail,  file,  or  attachment  that  is  interfering  with  the  operation  of  an  IS  without 
consent  of  the  originator  or  recipient.  The  SA/NA  will  notify  the  originator  and  recipient  of  such  actions. 

(12)  The  SA/NA  is  not  authorized  to  use  techniques  or  software  to  penetrate  or  bypass  user’s  information  protec¬ 
tions  (for  example,  content  restrictions  or  read-only  protections  used  to  maintain  or  enforce  document  integrity,  version 
control,  or  need-to-know  enforcement). 

/.  Management  search.  In  the  absence  of  the  user  (for  example,  TDY,  extended  hospital  stay,  incapacitation, 
emergency  operational  requirement),  only  the  SA/NA  is  authorized  limited  access  to  the  user’s  files  to  support 
administrative  management  searches  to  provide  the  requested  information  as  required  for  official  purposes.  When  such 
access  is  requested,  the  SA  will — 

(1)  Brief  the  supervisor  as  to  the  limits  of  accessing  the  user’s  data  files. 

(2)  Limit  the  scope  of  the  authorized  search  to  those  files  reasonably  related  to  the  objective  of  the  search  (that  is,  e- 
mail  access  would  not  be  reasonable  when  searching  for  a  word  document  file). 

(3)  Limit  the  search  to  the  time  necessary  to  locate  the  required  data  in  the  most  relevant  file  location. 

(4)  Inform  the  individual  of  requested  file  access  as  soon  as  possible  after  such  requests,  and  document  this  access 
in  a  memorandum. 

(5)  SAs/NAs  will  not  grant  unrestricted  supervisory  access  to  individual  information,  data  files,  or  accounts. 

(6)  SA/NAs  will  not  access  individual  information  or  data  files  unless  conducting  a  management  search,  an 
authorized  administrative  search,  or  supporting  a  LE/CI  authorized  investigation. 

(7)  SA/NAs  may  conduct  an  authorized  investigative  or  management  search  of  assigned  IS  upon  an  individuals’ 
termination  of  employment,  death,  or  other  permanent  departure  from  the  organization  to  retrieve  data  and  files 
associated  with  the  organizational  mission. 
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Section  II 
Software  Security 

4-6.  Controls 

a.  IA  personnel  will  implement  controls  to  protect  system  software  from  compromise,  unauthorized  use,  or 
manipulation. 

b.  The  DA  A,  materiel  developer,  CIO,  or  IAM  will  document  all  software  used  for  control  purposes  in  the  C&A 
package  as  a  minimum. 

c.  PEOs,  PMs,  and  functional  proponents  will  require  vendors  seeking  to  support  the  AE1  to  submit  SF  328 
(Certificate  Pertaining  to  Foreign  Interests). 

d.  All  COTS  software  used  on  ISs  will  be  fully  licensed  (under  U.S.  Copyright  Law). 

e.  Incorporate  IAVM  compliance,  patch  management,  IA,  and  AV  software  into  contracts  with  software  developers 
regardless  of  the  software’s  purpose  (for  example,  medical  devices). 

f.  Program  managers  and  DAA  will  restrict  systems  used  or  designated  as  “test  platforms”  from  connecting  to 
operational  network.  PM  and  DAAs  can  authorize  temporary  connections  to  conduct  upgrades,  download  patches,  or 
perform  vulnerability  scans  when  off-line  support  capabilities  are  insufficient  and  protections  have  been  validated. 
Remove  the  “test  platform”  IS  immediately  upon  completion  of  the  action  until  it  has  been  operationally  accredited  and 
is  fully  compliant. 

g.  Use  of  “shareware”  or  “freeware”  is  prohibited  unless  specifically  approved  through  IA  personnel  and  by  the 
DAA  for  a  specific  operational  mission  requirement  and  length  of  time  when  no  approved  product  exists.  Notify 
RCIOs  and  the  supporting  RCERT/TNOSC  of  local  software  use  approval. 

h.  Use  of  “open  source”  software  (for  example,  Red  Hat  Linux)  is  permitted  when  the  source  code  is  available  for 
examination  of  malicious  content,  applicable  configuration  implementation  guidance  is  available  and  implemented,  a 
protection  profile  is  in  existence,  or  a  risk  and  vulnerability  assessment  has  been  conducted  with  mitigation  strategies 
implemented  with  DAA  and  CCB  approval  and  documentation  in  the  C&A  package.  Notify  RCIOs  and  the  supporting 
RCERT/TNOSC  of  local  software  use  approval. 

i .  Use  of  data  assurance  and  operating  systems  integrity  products  (for  example,  public  key  infrastructure  (PKI), 
Tripwire,  Internet  protocol  security  (IPSec),  transmission  control  protocol/I ntemet  protocol  (TCP/IP)  wrappers)  will  be 
included  in  product  development  and  integrated  into  end-state  production  systems. 

j.  IAMs  and  developers  will  transition  high-risk  services  such  as,  but  not  limited  to,  ftp  or  telnet  to  secure 
technologies  and  services  such  as  secure  ftp  (sftp)  and  secure  shell  (ssh). 

k.  Army  personnel,  including  contractors,  will  not  introduce  classified  or  sensitive  information  into  an  IS  until 
the  data  confidentiality  level  and  protection  level  of  the  IS  has  been  certified,  the  appropriate  IS  protection 
mechanisms  are  operational,  and  the  DAA  approval  or  waiver  has  been  obtained.  The  data  owner  will  approve 
entering  the  data,  where  applicable.  Data  will  not  exceed  the  security  classification  level  for  which  the  IS  has  been 
approved. 

4-7.  Database  management 

a.  Databases  store  information  and  will  be  managed  to  ensure  that  the  data  is  accurate,  protected,  accessible,  and 
verifiable  so  that  commanders  at  all  levels  can  rely  on  trusted  information  in  the  decision  making  process.  Commanders 
will  appoint  a  database  administrator  (DBA)  for  each  operational  database. 

b.  The  DBA  will  be  certified  through  either  training  or  experience  in  the  database  being  managed. 

c.  The  DBA  will  develop  and  implement  controls  to  protect  database  management  systems  from  unauthorized 
schema  modifications. 

d.  The  DBA  will  develop  and  implement  access  and  auditing  controls  to  protect  database  management  systems  from 
unauthorized  accesses,  queries,  input  or  activity. 

e.  The  DBA  will  conduct  weekly  backups  of  the  database  and  schema,  as  a  minimum,  or  more  often  as  directed  by 
the  IAPM  or  IAM. 

f  The  SO  will  protect  databases  from  direct  Internet  access  using  filtering  and  access  control  devices  (for  example, 
firewalls,  routers,  access  control  lists  (ACLs)). 

g.  Data  owners  will  identify  the  classification  or  confidentiality  level  of  data  residing  in  the  database  and  special 
controls,  access  requirements,  or  restrictions  required  to  be  implemented  by  the  DBA. 

h.  The  SO  will  place  databases  on  isolated  and  dedicated  servers  with  restricted  access  controls.  DBAs  will  not 
install  other  vulnerable  servers  or  services  (for  example,  web  servers,  ftp  servers)  that  may  compromise  or  permit 
unauthorized  access  of  the  database  through  another  critical  vulnerability  identified  in  the  additional  servers  or  services. 

i.  Databases  should  be  hosted  on  trusted  military  IS  or  networks.  As  part  of  the  C&A  process,  the  CA  and  DAA  will 
review  and  approve  a  detailed  risk  management  process  as  documented  in  the  C&A  package  before  operational 
implementation  of  databases  located  in  contractor  owned,  operated,  or  managed  networks. 
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j.  Before  the  DAA  grants  an  approval  to  operate  (ATO),  the  following  minimum  requirements  will  be  addressed  in  a 
security  compliance  plan: 

(1)  DBA  certifications  and  experience  in  the  proffered  system(s)  and  application(s). 

(2)  Security  background  investigation(s)  of  the  administrators)  and  verification  procedures  equivalent  to  the  IT 
position  held  by  the  DBA  and  the  classification  of  the  system. 

(3)  Control  measures  for  encrypted  privileged-level,  root,  administrator,  and  user  accesses  in  accordance  with  Army 
access  standards. 

(4)  Control  measures  to  protect  database(s)  and  management  systems  from  unauthorized  queries,  input,  or  activity 
for  example;  data  input  validation  and  exception  routines. 

(5)  Control  measures  for  database(s)  and  server  update,  management,  backup,  and  recovery  procedures. 

(6)  Control  measures  and  procedures  for  audits,  analysis,  incident  and  intrusion  response. 

(7)  Control  measures  to  protect  database(s)  servers  and  interfaces  from  direct,  unauthorized,  or  un-authenticated 
Internet  access  using  filtering  and  access  control  devices  or  capabilities  (for  example,  firewalls,  routers,  ACLs). 

(8)  Control  measures  to  protect  database(s)  servers  and  interfaces  from  physical  access  threats. 

(9)  Control  measures  to  protect  database(s)  servers  and  interfaces  from  logical  threats. 

(10)  For  contractor  owned,  operated,  or  managed  databases,  the  contractor  will  conduct  an  initial  comprehensive 
vulnerability  assessment  of  the  configuration,  security,  and  network  upon  which  the  servers  reside,  and  provide  the 
complete  results  to  authorized  Army  representatives. 

(11)  For  contractor  owned,  operated,  or  managed  databases,  the  contractor  will  conduct  quarterly  comprehensive 
vulnerability  assessments  and  evaluations  and  furnish  the  results  to  authorized  Army  representatives. 

k.  Data  owners  and  DBAs  will  implement  and  support  DOD  data/meta-data  tagging  requirements  as  initiatives, 
software,  procedures,  and  methodologies  are  developed  and  implemented. 

4-8.  Design  and  test 

a.  All  information  systems  will  be  designed  to  meet  the  IA  controls  as  identified  in  DOD1  8500.2  and  be  configured 
in  compliance  with  the  applicable  DISA  STIG  or  baselined  system  with  identified  changes  documented  as  part  of  the 
accreditation  process. 

b.  All  information  and  information-based  systems  will  incorporate  embedded  software  security  solutions  throughout 
the  system  life  cycle. 

c.  System  developers  will  contact  CSLA  during  initial  design  to  determine  COMSEC  device  requirements  (if 
required)  in  system  design. 

d.  Before  fielding,  all  information  and  information-based  systems  will  be  tested  per  an  approved  Test  and  Evaluation 
Master  Plan  (TEMP)  that  contains  current,  validated  threats  to  each  IS.  The  systems  will  demonstrate  successful 
completion  of  all  required  test  and  evaluation  events  at  each  acquisition  decision  milestone. 

e.  Conduct  vulnerability  assessments  on  all  systems  before  fielding  or  installing  systems  to  identify  residual 
vulnerabilities  and  provide  risk  mitigation  strategies  for  those  vulnerabilities  that  are  operationally  required. 

Section  III 

Hardware,  Firmware,  and  Physical  Security 
4-9.  Hardware-based  security  controls 

Consider  hardware  security,  COMSEC,  and  IA  requirements  in  the  concept,  design,  development,  acquisition,  fielding, 
and  support  of  ISs. 

a.  System  developers  will  incorporate  controls  to  protect  hardware  and  firmware  from  compromise  and  unauthorized 
use,  removal,  access,  or  manipulation. 

b.  After  initial  fielding  and  installation  of  hardware  or  firmware,  proposed  additions  must  go  through  an  Installation 
configuration  management  board  for  approval  before  installation  and  operation.  The  CCB  Chair  or  responsible 
Information  Management  (IM)  official  will  notify  the  DAA,  Army  CA,  materiel  developer,  CIO,  1AM,  RCIO,  DOIM, 
or  authorized  IM  officer  before  installation  and  operation,  as  applicable.  Proposed  additions  may  require  revalidation  or 
re-accreditation  of  the  system’s  security  posture  and  accreditation  approval. 

c.  The  C&A  will  include  an  inventory  of  all  identifiable  hardware,  firmware,  and  software  that  are  parts  of  the 
system. 

d.  Maintain  CM  controls  for  all  hardware  and  firmware  test  and  evaluation,  follow-on  test  and  evaluation,  and  other 
related  activities  by  the  materiel  developer. 

e.  IAPMs,  IAMs,  or  system  developers  will  contact  CSLA  to  review  applicable  IA  BPAs  (both  from  DOD  and  the 
Army)  before  initiating  requisition  actions. 

4-10.  Maintenance  personnel 

The  Commander  will  verify  or  validate  the  following: 
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a.  Clearances.  Maintenance  personnel  will  be  cleared  to  the  highest  level  of  data  handled  by  the  IS.  Clearance 
requirements  will  be  included  in  maintenance  contracts,  statements  of  work,  and  specified  on  the  DD  Form  254 
(Department  of  Defense  (DOD)  Contract  Security  Classification  Specification),  in  accordance  with  AR  380-49,  where 
applicable. 

b.  Restrictions.  Escort  and  observe  uncleared  maintenance  personnel  at  all  times  by  a  cleared  and  technically 
qualified  individual.  Non-U.S.  citizens  will  not  perform  maintenance  on  ISs  that  process  TOP  SECRET  (TS),  Sensitive 
Compartmented  Information  (SCI),  Special  Intelligence  (SI),  Single  Integrated  Operational  Plan-Extremely  Sensitive 
Information  (SIOP-ESI),  or  SAP  information. 

c.  Use  of  non-U.S.  citizens.  When  non-U.S.  citizens  are  employed  to  maintain  ISs,  address  such  use  as  a  vulnerabil¬ 
ity  in  the  risk  assessment  and  identify  and  employ  appropriate  countermeasures. 

d.  Maintenance  by  cleared  personnel.  Personnel  who  perform  maintenance  on  classified  systems  will  be  cleared  and 
indoctrinated  to  the  highest  classification  level  of  information  processed  on  the  system.  Appropriately  cleared  mainte¬ 
nance  personnel  do  not  require  an  escort.  Need-to-know  requirements  may  be  inherent  to  adequately  perform  mainte¬ 
nance  or  take  corrective  actions.  An  appropriately  cleared  and  technically  knowledgeable  employee  will  be  present  or 
review  the  system  during  maintenance  to  assure  adherence  to  security  procedures. 

e.  Maintenance  by  uncleared  (or  lower-cleared)  personnel.  If  cleared  maintenance  personnel  are  unavailable, 
individuals  with  the  technical  expertise  to  detect  unauthorized  modifications  will  monitor  all  uncleared  maintenance 
personnel. 

(1)  Uncleared  maintenance  personnel  will  be  U.S.  citizens.  Outside  the  U.S.,  where  U.S.  citizens  are  not  available  to 
perform  maintenance,  use  FNs  as  an  exception,  with  DAA  approval  and  documentation  in  the  C&A  package. 

(2)  Before  maintenance  by  uncleared  personnel,  the  IS  will — 

(a)  Be  completely  cleared  and  all  nonvolatile  data  storage  media  removed  or  physically  disconnected  and  secured. 

(b)  When  a  system  cannot  be  cleared,  IAM-approved  procedures  will  be  enforced  to  deny  the  uncleared  individual 
visual  and  electronic  access  to  any  classified  or  sensitive  information  that  is  contained  on  the  system. 

(3)  A  separate,  unclassified  copy  of  the  operating  system  (for  example,  a  specific  copy  other  than  the  copies  used  in 
processing  information),  including  any  floppy  disks  or  cassettes  that  are  integral  to  the  operating  system,  will  be  used 
for  all  maintenance  operations  performed  by  uncleared  personnel.  The  copy  will  be  labeled  “UNCLASS1FIED-FOR 
MAINTENANCE  ONLY”  and  protected  in  accordance  with  procedures  established  in  the  SSAA/System  Security 
Policy  (SSP).  Ensure  that  the  media  is  write-protected  before  use  in  classified  systems. 

(4)  Maintenance  procedures  for  an  IS  using  a  non-removable  storage  device  on  which  the  operating  system  resides 
will  be  considered  and  approved  by  the  IAM  on  a  case-by-base  basis. 

(5)  The  use  of  commercial  data  recovery  services  will  be  documented  in  the  C&A  package  and  approved  by  the 
DAA  with  approval  from  the  data  owner  and  notification  to  the  CIO/G-6  CISO. 

4-11.  Security  objectives  and  safeguards 

The  Commander  will  verily  or  validate  the  following: 

a.  Secure  removable  media  that  process  and  store  classified  information  in  an  area  or  a  container  approved  for 
safeguarding  classified  media  per  AR  380-5. 

b.  Establish  checks  and  balances  to  reduce  the  risk  of  one  individual  adversely  affecting  system  or  network 
operations. 

c.  Implement  physical  security  requirements  for  ISs  to  prevent  loss,  damage,  or  unauthorized  access. 

d.  Prohibited  storage  of  portable  ISs  or  personal  electronic  devices  (PEDs)  that  contain  classified  information  in 
personal  residences.  Exceptions  will  follow  the  guidance  as  prescribed  in  AR  380-5,  paragraph  7-6,  and  authorized  as 
an  exception  only  when  an  operational  requirement  exists. 

e.  Include  facilities  or  spaces  housing  critical  systems  (for  example,  e-mail  servers,  web  servers)  as  part  of  the 
physical  security  program  and  restrict  access. 

Section  IV 
Procedural  Security 

4-12.  Password  control 

a.  Implement  two-factor  authentication  techniques  as  the  access  control  mechanism  in  lieu  of  passwords.  Use  CAC 
as  the  primary  access  credential,  or  biometric  or  single-sign  on  access  control  devices  when  the  IS  does  not  support 
CAC. 

b.  The  IAM  or  designee  will  manage  the  password  generation,  issuance,  and  control  process.  If  used,  generate 
passwords  in  accordance  with  the  BBP  for  Army  Password  Standards. 

c.  The  holder  of  a  password  is  the  only  authorized  user  of  that  password. 

d.  The  use  of  one-time  passwords  is  acceptable,  but  organizations  must  transition  to  secure  access  capabilities  such 
as  SSH  or  secure  sockets  layer  (SSL).  See  remote  access  requirements  in  para  4-5 d. 


AR  25-2  •  24  October  2007 


31 


ManningB_0001 6266 


Q 


O 


e.  SAs  will  configure  ISs  to  prevent  displaying  passwords  in  the  clear  unless  tactical  operations  (for  example,  heads- 
up  displays  while  an  aircraft  is  in  flight)  pose  risks  to  life  or  limb. 

/  IAMs  will  approve  and  manage  procedures  to  audit  password  files  and  user  accounts  for  weak  passwords, 
inactivity,  and  change  history.  IAMs  will  conduct  quarterly  auditing  of  password  files  on  a  stand-alone  or  secured 
system  with  limited  access. 

g.  Deployed  and  tactical  systems  with  limited  data  input  capabilities  will  incorporate  password  control  measures  to 
the  extent  possible. 

h.  IAMs  and  SAs  will  remove  or  change  default,  system,  factory  installed,  function-key  embedded,  or  mainte¬ 
nance  passwords. 

j.  IAMs  and  SAs  will  prohibit  automated  scripts  or  linkage  capabilities,  including,  but  not  limited  to,  Web  site  links 
that  embed  both  account  and  authentication  within  the  unencrypted  link. 

j.  SAs/NAs,  with  DAA  approval,  will  implement  procedures  for  user  authentication  or  verification  before  resetting 
passwords  or  unlocking  accounts  in  accordance  with  the  C&A  package. 

k.  SAs/NAs  will  conduct  weekly  auditing  of  service  accounts  for  indications  of  misuse. 

l.  The  use  of  password  generating  software  or  devices  is  authorized  as  a  memory  aid  when  it  randomly  generates 
and  enforces  password  length,  configuration,  and  expiration  requirements;  protects  from  unauthorized  disclosure 
through  authentication  or  access  controls;  and  presents  a  minimal  or  acceptable  risk  level  in  its  use. 

4-13.  Release  of  information  regarding  information  system  infrastructure  architecture 

a.  All  Army  personnel  and  contractors  will  protect  and  restrict  access  to  all  documentation  (for  example, 
maps,  test  and  evaluation  results,  vulnerability  assessments,  audits,  results,  or  findings)  describing  operational 
IS  architectures,  designs,  configurations,  vulnerabilities,  address  listings,  or  user  information.  This  information  is 
a  minimum  of  FOUO  and  will  not  be  made  publicly  accessible.  Evaluate  Freedom  of  Information  Act  (FOIA)  requests 
for  such  documents  in  these  categories  on  a  case-by-case  basis. 

b.  All  information  or  IS  responses  that  document  or  display  specific  vulnerabilities  of  a  system  or  network  that 
would  aid  attempts  by  an  adversary  to  compromise  those  critical  systems  or  networks  are  OPSEC  sensitive  and  will  be 
protected,  controlled,  marked,  or  stored  at  the  appropriate  classification  level  for  the  system  concerned.  This  informa¬ 
tion  will  not  be  made  publicly  available. 

c.  Protect  and  restrict  access  to  information  that  is  a  collection  of  interrelated  processes,  systems,  and  networks  that 
provides  information  on  1A  services  throughout  the  Army;  the  KMI;  or  the  incident  detection  and  response  infrastruc¬ 
ture,  capabilities,  or  configuration.  This  information  should  be  marked  FOUO  and  may  be  exempt  from  mandatory 
release  pursuant  to  the  FOIA.  Coordinate  with  your  servicing  FOIA  or  Privacy  Act  office  and  servicing  judge  advocate 
or  legal  advisor  before  releasing  or  deciding  to  withhold  such  information. 

Section  V 
Personnel  Security 

4-14.  Personnel  security  standards 

The  following  standards  designate  positions  requiring  access  to  IT  and  for  processing  information  within  IT  systems. 
These  security  designations  are  required  to  distinguish  potential  adverse  effects  on  Army  functions  and  operations  and, 
therefore,  the  relative  sensitivity  of  functions  performed  by  individuals  having  certain  privileges.  These  positions  are 
referred  to  as  IT  and  IT-related  positions.  The  requirements  of  this  section  will  be  applied  to  all  IT  and  IT-related 
positions,  whether  occupied  by  DA  civilian  employees,  military  personnel,  consultants,  contractor  personnel,  or  others 
affiliated  with  the  DOD  (for  example,  volunteers).  Additional  guidance  is  available  in  DOD  5200.2-R. 

a.  Basic  requirements. 

(1)  Personnel  requiring  access  to  ISs  to  fulfill  their  duties  must  possess  the  required  favorable  security  investigation, 
security  clearance,  or  formal  access  approvals,  and  fulfill  any  need-to-know  requirements. 

(2)  IT-I  is— 

(a)  Defined  as  personnel  in  1A  positions  (for  example,  SAs/NAs  for  infrastructure  devices,  IDSs,  VPNs,  routers; 
SAs/NAs  for  classified  systems  and  devices)  with  privileged-level  access  to  control,  manage,  or  configure  1A  tools  or 
devices,  individual  and  networked  IS  and  devices,  and  enclaves. 

(b)  Favorable  completion  of  a  National  Agency  Check  (NAC)  (current  within  180  days). 

(c)  Initiation  of  a  Single  Scope  Background  Investigation  (SSB1)  and  favorable  review  of  SF  85P  (Questionaire  For 
Public  Trust  Positions),  SF  86  (Questionaire  For  National  Security  Positions),  and  Supplemental  Questionnaire. 

(3)  IT-I  I  is— 

(a)  Defined  as  personnel  in  IA  positions  (for  example,  operating  system  administration  of  common  network 
applications  or  enclaves,  back-up  operators)  with  limited  privileged-level  access  to  control,  manage,  or  configure  ISs 
and  devices,  with  very  limited  (single  device)  or  no  IA  device  access  or  management. 

(b)  A  favorable  review  of  local  personnel,  base/military,  medical,  and  other  security  records  as  appropriate. 

(c)  Initiation  of  a  National  Agency  Check  with  Credit  Check  and  Written  Inquiries  (NACIC)  (for  civilians)  or  a 


32  AR  25-2  •  24  October  2007 

ManningB_0001 6267 


o 


o 


National  Agency  Check  with  Local  Agency  and  Credit  Checks  (NACLC)  (for  military  and  contractors),  as  appropriate 
or  favorable  review  of  SF  85P  and  Supplemental  Questionnaire. 

(4)  IT— III  is— 

(a)  Defined  as — 

1.  Personnel  in  1A  positions,  for  example,  power  users  or  a  SA  on  individual  systems  for  configuration  or 
management  with  limited  privileged-level  access  to  that  lS(s)  or  device(s).  This  is  a  position  of  higher  trust. 

2.  Personnel  with  roles,  responsibilities,  and  access  authorization  of  normal  users  with  non-privileged  level  access  to 
the  IS  or  device. 

3.  Personnel  with  non-privileged  level  access  authorization  in  the  role  of  official  or  statutory  volunteers.  The 
provisions  for  statutory  volunteers  are  covered  in  AR  608—1  - 

(b)  A  favorable  review  of  local  personnel,  base  and  military,  medical,  and  other  security  records,  as  appropriate. 

(c)  Initiation  of  a  NACIC  (for  civilians)  or  national  agency  check  (NAC)  (for  military  and  contractors),  as 
appropriate  and  favorable  review  of  SF  85P  and  Supplemental  Questionnaire. 

(5)  IT-IV  is— 

(a)  Defined  as  personnel  in  non-IT  positions  that  are  temporary,  intermittent,  or  seasonal,  for  example,  unofficial 
volunteers  or  summer  hire  positions,  requiring  restricted  user-level  access  to  unclassified,  non-sensitive  ISs  only. 

( b )  Individual  completes  SF  85P  and  supplemental  questionnaire. 

(c)  A  favorable  review  of  local  personnel,  base/military,  medical,  and  other  security  records  as  appropriate.  This 
investigation  does  not  require  submission  to  OPM. 

(d)  A  favorable  recommendation  by  the  organization  security  manager,  DAA,  Commander,  and  installation  com¬ 
mander,  with  notification  to  the  RCIO/FCIO. 

b.  Personnel  security  controls. 

(1)  Personnel  security  controls,  both  technical  and  non-technical  (for  example,  separation  of  duties,  least  privilege 
access,  identification  and  authentication  (I&A),  digital  signatures,  and  audits),  will  be  incorporated  into  the  IS  and  IS 
procedures,  as  appropriate. 

(2)  Individuals  assigned  to  IT— I,  IT— II,  or  IT— III  positions  who  lose  their  clearance,  or  have  access  to  classified 
systems  suspended  pending  the  results  of  an  investigation,  will  be  barred  access  to  the  ISs  until  favorable  adjudication 
of  that  investigation.  Waivers  for  continued  access  to  unclassified  systems  will  be  justified  in  a  written  request,  with 
the  Commander’s  concurrence,  to  the  DAA  for  approval.  Access  will  be  granted  only  upon  DAA  authorization.  This 
request  and  approval  will  become  part  of  the  C&A  package.  Users  designated  in  IT-I  positions  will  be  removed  from 
these  positions  and  this  denial  of  access  is  non-waiverable. 

(3)  Waivers  processed  for  IT— II  and  IT— III  personnel  only  are  valid  for  a  period  not  to  exceed  6  months.  If  a  second 
waiver  extension  is  required,  one  may  be  granted  as  long  as  a  new  request  for  waiver  is  submitted  to  the  DAA  and 
approved  by  the  first  general  officer,  or  equivalent  in  position  or  civilian  grade,  in  the  Chain  of  Command. 

(4)  While  the  Commander  and  DAA  have  the  discretion  to  process  the  waiver  for  IT— 11  and  IT— III,  it  is  important 
that  this  discretion  is  not  without  limits.  The  Commander  and  DAA  are  advised  to  proceed  carefully  and  deliberately  in 
making  a  determination  on  whether  the  individual  constitutes  a  security  risk.  The  IT— II/IT— III  roles  must  be  highly 
supervised.  Any  access  to  protective  devices  (for  example,  firewalls,  VPNs,  intrusion  detection  systems  (IDSs),  IPSs, 
and  so  on)  will  be  prohibited  until  favorable  adjudication. 

(5)  The  servicing  legal  office  should  be  consulted  for  advice  concerning  personnel,  security,  contract  and  labor 
relations  issues  that  may  impact  the  final  determination.  Recheck  local  records  to  identify  any  issues  that  may  be  a 
deciding  factor  in  the  waiver  process. 

(6)  New,  credible  derogatory  information  revokes  any  standing  waiver  and  results  in  immediate  denial  of  access  to 
IT  systems  (exceptions  are  for  military  only  based  on  immediate  supervision  of  the  individual  while  on  the  IS). 

(7)  Contractor,  FN  or  temporary  individuals  assigned  to  any  IT  positions  who  have  their  unclassified  system  or 
network  accesses  revoked  or  suspended  for  derogatory  reasons,  will  be  barred  access  to  the  ISs  until  favorable 
adjudication  of  that  investigation.  The  organization’s  IASO/IANO/IAM  (as  appropriate)  will  identify  any  other  official 
systems/networks  for  which  that  individual  has  an  account  (for  example,  AKO)  and  have  it  temporarily  disabled  or 
suspended. 

(8)  The  required  investigation  levels  for  an  IT-I  position  are  outlined  below  in  table  4-2. 
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Investigative  levels  for  users  with  privileged  access  (IT— I)  to  ISs 


Privileged  access— IT— I1 


User  roles 

Foreign  national 

U.S.  civilian 

U.S.  military 

U.S.  contrac¬ 
tor 

Conditions  or  examples 

DAA  or  IAPM 

Not  allowed 

SSBI 

SSBI 

Not  allowed 

None 

IANM 

Not  allowed 

SSBI 

SSBI 

Conditional 

SSBI 

With  CIO/G-6  written  approval,  contrac¬ 
tors  may  continue  as  IA  personnel  until  re¬ 
placed 

1AM 

Not  allowed 

SSBI 

SSBI 

Conditional 

SSBI 

Contractor  may  not  fill  MSC,  installation, 
or  post  1AM  position 

IASO/IANO 

No.  allowed 

SSBI 

SSBI 

Conditional 

SSBI 

Contractor  may  not  fill  MSC,  installation, 
or  post  IASO/IANO  position  (if  created) 

Monitoring  or  test- 

Not  allowed 

SSBI 

SSBI 

SSBI 

None 

SA/NA  or  Adminis¬ 
trator  (with  IA  priv¬ 
ileged  access)  or 
maintenance  of  IA 
devices 

Conditionally  al¬ 
lowed— SSBI 
(equivalent) 2 

SSBI 

SSBI 

SSBI 

Examples:  administration  of  IA  devices 
(for  example,  boundary  devices,  IDSs, 
routers,  and  switches) 

Notes: 

1  Investigative  levels  are  defined  in  DOD  5200.2-R.  The  term  "Foreign  National"  (FN)  refers  to  all  individuals  who  are  non-U. S.  citizens,  including  U.S.  mili¬ 
tary  personnel,  DOD  civilian  employees,  and  contractors 

2  FN— under  the  immediate  supervision  of  a  U.S.  citizen  with  written  approval  of  CIO/G-6. 


(9)  The  required  investigation  levels  for  an  IT— II  position  are  outlined  below  in  table  4-3. 


Investigative  levels  for  users  with  limited  privileged  access  (IT— II)  to  ISs 


Limited  privileged  access— IT— II1 


User  roles 

FN 

(see  note  2) 

U.S.  civilian 

U.S.  military 

U.S.  contractor 

Conditions  or  examples 

IAM/IANM 

Not  allowed 

NACI 

NACLC 

NACLC 

None 

IANO/IASO 

Conditionally  al¬ 
lowed— NACLC 
equivalent 

NACi 

NACLC 

NACLC 

FN— with  DAA  written  approval,  and 
documentation  in  the  C&A  package, 
direct  or  indirect  hires  may  continue 
as  IA  personnel  until  they  are  re¬ 
placed,  provided  they  serve  under  the 
immediate  supervision  of  a  U.S.  citi¬ 
zen  1AM  and  have  no  supervisory  du¬ 
ties 

Supervisor  of  IT  1  or 
IT  II  positions 

Not  allowed 

NACI 

NACLC 

NACLC 

None 

Administrator  (with 
no  IA  privileged  ac¬ 
cess)  or  maintenance 
of  lA-enabled  prod¬ 
ucts 

Conditionally  al¬ 
lowed— NACLC 
equivalent2 

NACI 

NACLC 

NACLC 

Examples:  IS  administration,  OS  ad¬ 
ministration,  end-user  administration, 
and  administration  of  common  appli¬ 
cations  (for  example,  e-mail,  word 
processing) 

Notes: 

'  Investigative  levels  are  deFned  in  DOD  5200.2-R  FN  refers  to  all  individuals  who  are  non-U.S.  citizens,  including  U.S.  military  personnel.  DOD  civilian 
employees,  and  contractors. 

2  FN — under  the  immediate  supervisor  of  a  U.S.  citizen. 
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c.  Access  by  non-U.S.  citizens. 

(1)  Minimize  employment  of  non-U.S.  citizens  in  IT  positions.  However,  compelling  reasons  may  exist  to  grant 
access  to  DOD  IT  resources  in  those  circumstances  in  which  a  non-U.S.  citizen  possesses  a  unique  or  unusual  skill  or 
expertise  that  is  urgently  needed  for  a  specific  DOD  requirement  and  for  which  a  suitable  U.S.  citizen  is  not  available. 
Written  compelling-reason  justification,  documentation  in  the  C&A  package,  and  DAA  approval  are  required. 

(2)  Access  to  sensitive  information  by  a  non-U.S.  citizen  who  is  not  a  DOD  employee  will  only  be  permitted  in 
accordance  with  applicable  disclosure  policies  (for  example,  National  Disclosure  Policy  1,  DODD  5230.9,  DODD 
5230.25)  and  U.S.  statutes  (for  example,  the  Arms  Export  Control  Act,  22  USC  2551,  et.  seq.). 

(3)  If  information  to  which  the  incumbent  will  have  access  is  authorized  for  foreign  disclosure,  non-U.S.  citizens 
assigned  to  DOD  IT  positions  are  subject  to  the  investigative  requirements  outlined  below. 

(4)  Non-U.S.  citizens  may  hold  IT  positions  under  the  conditions  described  in  the  paragraphs  below  and  if  the  DAA 
that  accredited  the  system  and  the  data  owners  approve  the  assignment  requirements  in  writing.  The  written  approval 
must  be  on  file  and  provided  as  an  artifact  to  the  C&A  package,  before  requesting  the  required  investigation.  The 
required  investigation  must  be  completed  and  favorably  adjudicated  before  authorizing  access  to  DOD  systems  or 
networks.  Interim  access  is  prohibited. 

(5)  Assignment  (including  assignments  due  to  accretion  of  duties)  of  current  DOD  employees,  military  personnel, 
consultants,  and  contractors  to  positions  with  different  responsibilities  or  changed  access  privileges  requires  verification 
of  the  appropriate  investigative  basis  and  authority  for  holding  a  position  of  that  level  of  sensitivity. 

d.  Interim  assignments. 

(1)  Individuals  including  temporary,  intermittent,  or  seasonal  personnel— may  be  assigned  to  unclassified  IT  11  and 
IT— III  positions  on  an  interim  basis  before  a  favorable  completion  of  the  required  personnel  security  investigation  only 
after  the  conditions  specified  have  been  met. 

(a)  Individual  completes  SF  85P  and  supplemental  questionnaire. 

(b)  A  favorable  recommendation  by  the  organization  security  manager.  Commander  or  Director,  DAA,  and  Installa¬ 
tion  Commander,  with  RCIO/FCIO  notification. 

(c)  Initiation  of  security  investigation  has  been  submitted  or  is  pending  adjudication. 

(d)  Interim  access  is  not  authorized  for  non-U.S.  citizens. 

(2)  The  security  manager  at  the  requesting  activity  will  make  interim  assignment  approvals  for  civilian  and  military 
personnel. 

(3)  The  Government  sponsor’s  security  manager  or  official  will  make  the  approval  for  volunteer  access. 

(4)  The  interim  assignment  of  contractor  personnel  fulfilling  IT  positions  will  be  restricted  and  implemented  only 
upon  documentation  in  the  C&A  package  and  acceptance  of  the  DAA  and  the  Contracting  Officer  evaluations  on  a 
case-by-case  basis. 

e.  Adjudication. 

(1)  The  provisions  of  this  section  apply  only  to  contractor  personnel.  (Civilian  employees,  military  personnel, 
consultants,  volunteers,  and  seasonal,  part-time,  and  intermittent  employees  will  be  favorably  adjudicated  by  the 
appropriate  DOD  central  adjudication  facility.) 

(2)  OPM  will  adjudicate  investigations  for  a  trustworthiness  determination  using  the  national  adjudicative  guidelines 
for  access  to  classified  information.  If  the  adjudication  is  favorable,  OPM  will  issue  a  letter  of  trustworthiness  to  the 
requesting  activity. 

(3)  If  a  favorable  trustworthiness  is  indeterminate,  OPM  will  forward  the  case  to  the  Defense  Office  of  Hearings  and 
Appeals  (DOHA)  in  Columbus,  OH,  for  further  processing  under  DODD  5220.6.  A  final  unfavorable  decision 
precludes  assignment  to  an  IT-I,  II,  or  III  position. 

(4)  Enter  all  OPM  IT  trustworthiness  determinations  of  DOD  contractor  personnel  into  the  OPM  Security/Suitability 
Investigative  Index  (SI1). 

/  Reinvestigation.  Individuals  occupying  an  IT  position  will  be  subject  to  a  periodic  reinvestigation  according  to 
existing  contract,  labor  relations,  or  personnel  security  policy. 

4-15.  Foreign  access  to  information  systems 

a.  To  ensure  standardized  and  appropriate  access  to  the  Unclassified  but  Sensitive  Internet  Protocol  Routing 
Network  (NIPRNET)  by  foreign  officials,  IA  personnel  will  meet  the  requirements  delineated  below.  Provide  each 
authorized  foreign  official  a  .mil  address  on  the  unclassified  network  required  for  executing  his  or  her  foreign  official 
duties  as  outlined  in  his  or  her  respective  certification.  For  each  authorized  foreign  official,  the  local  area  network 
administrator  will  place  a  caveat  or  marker  on  the  user  account  and  all  outgoing  e-mails  from  that  person  identifying 
them  as  a  foreign  official  from  a  specific  country.  In  doing  so,  the  local  area  network  administrator  will  spell  out  the 
words  “Foreign  Official”  and  the  country  name  of  the  foreign  official  and  will  not  use  an  acronym  for  that  country.  In 
addition,  the  local  area  administrator  will  indicate  the  type  of  foreign  official  access  that  is  granted.  The  required  tags 
for  each  of  the  five  categories  of  foreign  officials  would  thus  read  as  shown  below  (replace  each  hypothetical  country 
name  with  the  appropriate  one). 
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(1)  Foreign  liaison  officer  (FLO):  “Last  Name,  First  Name  Middle  Initial-Foreign  National-Germany-FLO.”  (Note: 
Local  area  network  administrators  will  designate  FLOs  representing  the  United  Kingdom,  Canada,  or  Australia  as 
STANREPs  rather  than  as  FLOs.) 

(2)  Cooperative  Program  personnel  (CPP):  “Last  Name,  First  Name  Middle  Initial-Foreign  National-Turkey-CPP” 

(3)  Engineer  and  Scientist  Exchange  Program  (ESEP):  “Last  Name,  First  Name  Middle  Initial-Foreign  National- 
Israel-ESEP”. 

(4)  Standardization  representative  (STANREP):  “Last  Name,  First  Name  Middle  Initial-Foreign  National-United 
Kingdom-STANREP”. 

(5)  Military  Personnel  Exchange  Program  (MPEP):  “Last  Name,  First  Name  Middle  Initial-Foreign  National-Italy- 
MPEP”. 

b.  Limit  access  to  foreign  officials,  exchange  personnel,  or  representatives  to  computers  that  incorporate  Army- 
mandated  access  and  auditing  controls.  Approval  to  access  the  NIPRNET  does  not  equate  to  authority  to  exchange  data 
or  access  systems  located  on  that  network.  The  appropriate  system  DAA  will  approve  access  to  foreign  officials  on  an 
as  needed  basis  and  updating  the  documentation  in  the  C&A  package.  Similarly,  the  designated  release  or  disclosure 
authority  will  grant  access  to  the  information  on  ISs  to  foreign  officials  on  an  as-needed  basis. 

c.  E-mail  signature  blocks  will  be  automatically  generated  for  all  foreign  personnel,  and  include  the  foreign 
individual’s  nationality  and  position. 

d.  If  the  organization  where  a  foreign  official  is  certified  determines  there  is  a  need  for  the  foreign  official  to  have 

access  to  the  NIPRNET  beyond  e-mail  access  (for  example,  an  AKO  account),  submit  an  exception  to  policy  through 
the  DAA  to  the  RCIO  IAPM,  to  be  forwarded  to  the  CIO/G6.  The  approval  will  become  part  of  the  C&A  package  for 
the  IS.  This  includes  individuals  granted  access  prior  to  the  publication  of  this  regulation.  Commands  will  immediately 
evaluate  each  case  and  forward  their  exception  recommendation.  The  exception  will  be  reviewed  by  the  appropriate 
HQDA  Program  Manager  and  the  NETCOM/9th  SC  (A)  OIA&C  prior  to  disposition.  The  exception  must  include  the 
following  information - 

(1)  Request  from  the  Commander  that  states  the  need  to  know,  tied  to  the  foreign  official’s  certification  and 
Delegation  of  Disclosure  Authority  Letter  (DDL). 

(2)  Statements  from  the  installation  and  command’s  IAM  stating  proper  security  procedures  are  in  place.  The  DCS, 
G-2,  Foreign  Disclosure  and  Security  Directorate  will  also  review  the  exception  before  final  disposition. 

e.  Official  access  to  information  residing  on  an  IS  or  network  will  be  limited  to  that  controlled  but  unclassified 
information  required  to  fulfill  the  terms  of  the  contract  or  agreement  provided  minimum  security  requirements  of  this 
section  are  met. 

f  Disclosure  of  classified  military  information  to  foreign  governments  and  international  organizations  is  limited  and 
will  be  in  accordance  with  AR  380-10,  DODD  5230.11,  and  CJCSI  5221. 01B. 

g.  International  Military  Students  (IMS)  who  have  been  vetted  and  approved  for  U.S.  Army  training  and  Profes¬ 
sional  Military  Education  (PME)  attending  resident  training  or  enrolled  in  the  Army  Distance  Education  Program 
(DEP)  at  U.S.  Army  and  Army-managed  schools/training  activities  will  agree  to  comply  with  all  U.S.  MILDEP 
requirements.  They  are  required  to  sign  an  AUP  user  agreement.  There  is  no  requirement  for  background  investigations 
as  described  since  in-country  U.S.  officials  perform  a  security  screening  of  each  student  before  selection  approval.  To 
prevent  inadvertent  disclosure  of  information,  international  military  students  will  be  identified  as  students  in  their  email 
address,  display  name  and  automated  signature  block  (for  example,  john.i.smith.uk.stu@xxx.army.mil). 

h.  NIPRNET  access  policy  and  procedures  for  FNs  in  non-official  positions  as  identified  above,  are  as  follows: 

(1)  Components  or  organizations  will  maintain  records  on  access  including  the  following  information- 
fa)  Specific  mission  requirements  for  foreign  access  or  connection. 

(b)  Justification  for  each  individual  FN. 

(c)  Confirmation  that  the  minimum-security  requirements  of  this  section  are  enacted,  including  the  user  agreement 
discussed  below. 

(2)  Before  authorizing  FN  access  to  a  specific  IS  on  the  NIPRNET  or  the  Secret  Internet  Protocol  Routing  Network 
(SIPRNET),  Army  components  will — 

(a)  Ensure  the  information  is  properly  processed  for  disclosure. 

(b)  Ensure  DAAs  and  data  owners  concur  with  the  access. 

(c)  Ensure  the  C&A  documentation  for  the  system  is  updated  to  reflect  FN  access. 

(d)  Ensure  security  measures  employed  adhere  to  this  policy. 

(e)  Validate  the  identity  of  each  FN  authorized  access  to  ISs  to  ensure  accountability  of  all  actions  taken  by  the 
foreign  user. 

(f)  Ensure  the  FN  follows  appropriate  security  policies  and  procedures  and  that  the  IASO  possesses  the  authority  to 
enforce  these  policies  and  procedures.  Before  accessing  any  system,  an  FN  will  sign  an  AUP  agreement  that  includes — 

1.  Acknowledgment  of  appropriate  information  security  policies,  procedures,  and  responsibilities. 

2.  The  consequences  of  not  adhering  to  security  procedures  and  responsibilities. 
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3.  Identification  requirements  when  dealing  with  others  through  oral,  written,  and  electronic  communications,  such 
as  e-mail. 

4.  Department  of  the  Army  employees  or  contractors  who  are  FNs  and  are  direct  or  indirect  hires,  currently 
appointed  in  1A  positions,  may  continue  in  these  positions  provided  they  satisfy  the  provisions  of  paragraph  4-14, 
DODD  8500.1,  DODI  8500.2,  and  DOD  5200.2-R;  are  under  the  supervision  of  an  I  AM  who  is  a  U.S.  citizen;  and  are 
approved  in  writing  by  the  DAA  and  captured  in  the  C&A  package. 

5.  FNs  assigned  into  IT  positions  will  be  subject  to  the  same  (or  equivalent)  vetting  as  U.S.  citizens. 

6.  FNs  may  hold  or  be  authorized  access  to  IT— II  and  IT— III  positions  provided  the  required  background  investiga¬ 
tion  has  been  completed  or  favorably  adjudicated. 

7.  Additionally,  an  FN  may  be  assigned  to  an  IT-I  position  only  after  the  DAA  who  owns  the  system  and  the  data 
owner  who  owns  the  information  sign  a  waiver  and  the  assignment  has  been  approved  by  the  CIO/G-6.  The  approvals 
will  become  part  of  the  C&A  package.  Sign  and  place  the  waiver  in  the  individual’s  security  file  before  requesting  the 
required  background  investigation.  The  required  background  investigation  must  be  completed  and  favorably  adjudicated 
before  authorizing  IT-I  access  to  DA  systems/networks. 

8.  Do  not  assign  FNs  to  IT-I,  IT— II,  or  IT— III  positions  on  an  interim  basis  before  a  favorable  adjudication  of  the 
required  personnel  security  investigation. 

Generally,  an  FN  or  official  representative  is  not  authorized  access  to  the  U.S.  controlled  SIPRNET  terminal 
workspace.  If  an  authorized  foreign  official  or  national  working  at  a  U.S.  Army  site  has  a  requirement  for  accessing  the 
SIPRNET,  the  commander  will  submit  an  exception  to  policy  through  the  DAA  to  the  RCIO  IAPM,  to  be  forwarded  to 
the  HQDA  CIO/G-6,  and  reviewed  by  the  DCS,  G-2  Foreign  Disclosure  Directorate  prior  to  disposition.  CIO/G-6  will 
coordinate  the  request  with  the  Army  staff  and  forward  to  DISA.  These  requests  will  be  staffed  with  the  presumption 
of  denial.  Apply  the  procedures  of  this  section  after  DISA's  approval  and  any  additional  guidance  provided  by  DISA 
on  the  connection  process  for  FNs.  E-mail  signature  blocks  will  be  automatically  generated  for  all  FNs,  and  include  the 
foreign  individual’s  nationality  and  position.  The  approvals  will  become  part  of  the  C&A  package. 

Section  VI 

Information  Systems  Media 
4-16.  Protection  requirements 

a.  All  IS  equipment  and  facilities  used  for  processing,  handling,  and  storing  classified  data  will  be  operated  and 
secured  where  applicable  per  the  DCID  6/3,  AR  380-5,  this  regulation,  or  Joint  DODIIS  Cryptologic  SCI  Information 
Systems  Security  Standards  (JDCSISSS). 

b.  All  Army  personnel  and  contractors  will  mark,  ship,  store,  process,  and  transmit  classified  or  sensitive  informa¬ 
tion  in  accordance  with  AR  380-5. 

c.  Control  ISs  containing  non-removable,  non-volatile  media  used  for  processing  classified  information. 

d.  Commanders,  Directors,  and  IA  personnel  will  verily  procedures  and  train  users,  administrators  and  security 
personnel  in  processes  for  spillage  incidents  of  higher-level  or  classified  information  to  a  lower-level  IS. 

e.  SAs  will  configure  ISs  to  apply  security  or  handling  markings  automatically  when  possible  or  available. 

/  SAs  will  configure  ISs  to  display  the  classification  level  on  the  desktop  or  login  screen  (for  example, 
wallpaper,  splash  screen)  when  the  device  is  locked,  the  user  is  logged  off,  or  the  IS  is  used  in  spanning  multi¬ 
classification  networks  through  the  use  of  a  KVM  device. 

g.  All  Army  personnel  and  contractors  will  not  transmit  classified  information  over  any  communication  system 
unless  using  approved  security  procedures  and  practices  including,  encryption,  secure  networks,  secure  workstations, 
and  ISs  accredited  at  the  appropriate  classification  level. 

4-17.  Labeling,  marking,  and  controlling  media 

a.  Unless  write-protected  or  read-only,  all  personnel  will  protect  and  classify  media  inserted  into  a  system  at  the 
highest  level  the  system  is  accredited  to  process  until  the  data  or  media  is  reviewed  and  downgraded  by  the  IASO. 

b.  All  personnel  will  clear  removable  media  before  reusing  in  ISs  operating  at  the  same  or  higher  protection  level. 

c.  All  personnel  will  mark  and  control  all  media  devices,  peripherals,  and  ISs  as  follows: 

(1)  TS  or  SCI  or  intelligence  data  per  DCID  6/3,  DCID  1/7  and  JDCSISSS  as  applicable. 

(2)  Classified  media  per  AR  380-5  requirements. 

(3)  FOUO  media  per  AR  25-55  requirements. 

(4)  Privacy  Act  media  per  AR  340-21  requirements. 

(5)  NATO  information  per  AR  380-5  requirements. 

d.  All  personnel  will  mark  and  control  the  media  or  IS  after  determination  of  the  classification  level  of  the  data 
placed  on  the  media.  Implement  media  accountability  procedures  based  on  the  type  of  media  and  the  classification  of 
the  data  as  required  above. 


37 


ManningB_0001 6272 


AR  25-2  •  24  October  2007 


o 


o 


4-18.  Clearing,  purging  (sanitizing),  destroying,  or  disposing  of  media 

a.  Procedures  for  disposition  of  unclassified  hard-drive  media  outside  DOD  custody  will  follow  current  guidelines 
addressed  in  the  published  BBP. 

b.  All  personnel  will  purge  media  before  reuse  in  a  different  environment  than  the  one  in  which  they  were 
previously  used  (new  users  without  a  need-to-know  for  the  original  data)  or  with  data  at  a  different  classification  or 
sensitivity  level  or  when  the  drives  have  met  the  end  of  their  life  cycle.  Ensure  custodial  equipment  transfer 
requirements  are  accomplished.  1A  personnel  will  verify  that  personnel  are  trained  on  local  procedures.  Purging 
electronic  media  does  not  declassify  the  media,  as  declassification  is  an  administrative  process. 

c.  1A  personnel  will  conduct  random  security  inspections  for  violations  of  removable  media  physical  security 
measures  quarterly. 

d.  1A  personnel  will  purge  unclassified  media  before  consideration  for  release  outside  DOD  control. 

e.  IA  personnel  will  destroy  media  that  has  ever  contained  NSA  Type  1  cryptographic  or  COMSEC  materiel  at  end 
of  life  cycle  in  accordance  with  approved  destruction  processes. 

/  IA  personnel  will  destroy  SCI  media  at  end  of  life  cycle  in  accordance  with  DCID  6/3  for  DODIIS  systems  and 
NSA  130-1  and  130-2  for  NSA  Cryptologic  systems  in  accordance  with  approved  destruction  processes. 

g.  IA  personnel  will  destroy  media  that  contained  classified  material  or  was  involved  in  a  classified  spillage  incident 
at  end  of  life  cycle  in  accordance  with  approved  destruction  processes. 

h.  When  it  is  more  cost  effective,  or  to  ensure  absolute  security,  destroy  media  instead  of  purging  or  declassifying  in 
accordance  with  approved  destruction  processes. 

i.  The  IAM  will  establish  procedures  to  periodically  verify  the  results  of  any  purging  and  IS  release  processes. 

j.  Spillage  recovery  procedures  for  data  from  higher-classified  information  to  lower-classified  systems  are  addressed 
in  a  separately  published  BBP. 

Section  VII 
Network  Security 

4-19.  Cross-domain  security  interoperability 

The  DOD  Global  Information  Grid,  Inter-connection  Approval  Process  (GIAP)  was  created  out  of  the  need  to  provide  a 
consistent  way  to  simplify  and  consolidate  the  various  connection  approval  processes.  All  DOD  Services  and  agencies 
must  comply  with  these  processes  when  connecting  networks  of  different  classification  levels.  The  Top  Secret  and 
Below  Interoperability  (TABI)  and  the  Secret  and  Below  Interoperability  (SABI)  processes  provide  an  integrated, 
comprehensive,  and  consistent  approach  to  addressing  the  shared  risk  associated  with  the  connection  of  networks  of 
different  classification  levels. 

a.  Organizations  requiring  a  cross-domain  solution  must  first  complete  the  information  on  the  GIAP  Web  site 
(https://giap.disa.smil.mil). 

b.  Organizations  requiring  a  cross-domain  solution  will  also  contact  the  NETCOM/9th  SC  (A)  Office  of  Information 
Assurance  and  Compliance,  Cross-Domain  Solutions  Office  to  provide  notification  of  the  cross-domain  process 
initiation. 

c.  The  cross-domain  process  follows  the  DIACAP  and  requires  that  networks  be  fully  certified  and  accredited  and 
that  all  associated  security  devices  be  certified,  tested,  and  evaluated  (CT&E)  in  accordance  with  the  NSA  compliance 
standards.  Approved  standardized  cross-domain  solutions  will  be  acquired  through  CSLA.  Non-standard  solutions  will 
require  an  extensive  engineering  effort. 

d.  All  Army  organizations  that  maintain  connections  between  networks  of  different  classification  levels  must 
annually  revalidate  their  connections  in  accordance  with  the  SIPRNET  DAA  directives.  Contact  the  SIPRNET 
Connection  Approval  Office  for  current  guidance  and  requirements. 

e.  Manage  all  interconnections  of  DOD  ISs  to  continuously  minimize  community  risk  by  ensuring  that  one  system  is 
not  undermined  by  vulnerabilities  of  other  interconnected  systems  and  that  one  system  does  not  undermine  other 
systems.  All  ISs  within  interconnected  (or  trusted  networks)  will  meet  networthiness  certification. 

4-20.  Network  security 

a.  Procedures.  Commanders  will  establish  procedures  to  manage  and  control  access  to  all  ISs,  networks,  and 
network  equipment  to  ensure  integrity,  confidentiality,  availability,  non-repudiation,  and  authentication,  regardless  of 
classification  level. 

b.  Requirements.  Positive  IA  measures  ensure  all  users  satisfy  the  requirements  specified  before  granting  an 
individual  access  (including  dial-up  services  and  Internet  access)  to  DOD  and  Army  networks,  systems,  and  stand¬ 
alone  computers. 

(1)  Individual.  Commanders  will  verify  and  I A  personnel  will  deny  physical  and  logical  access  to  individuals  who 
cannot  meet  access  requirements. 

(2)  Proponents.  Proponents  for  programs  that  require  network  services  for  family  members,  retirees,  and  other 
individuals  serviced  at  Army  installations  for  example,  unofficial  recreational  activities;  libraries;  education  centers;  or 
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Army-Air  Force  Exchange  Service  (AAFES)  kiosks,  should  arrange  for  services  through  a  commercial  Internet  service 
provider  (ISP)  or  other  isolated  connection  capability.  Proponents  will  coordinate  with  the  installation  DOIM  for 
service  and  the  1AM  for  IA  requirements.  These  connections  are  unofficial  communications  and  will  be  isolated  either 
logically  or  physically  from  official  DOD  and  Army  NIPRNET  networks. 

(3)  MWR  garrison  activities.  MWR  garrison  activities  dependent  upon  the  Installation  LAN  for  network  connec¬ 
tivity  in  accordance  with  DODI  1015.10  and  AR  215-1  to  provide  Executive  Control  &  Essential  Command  Supervi¬ 
sion  (ECECS)  in  support  of  the  Commanders  Fiduciary  responsibility,  are  authorized  the  use  of  NIPRNET  connectivity 
to  support  Commander’s  MWR  activities.  Published  BBPs  describe  the  standards  for  acceptable  connectivity  and  IA 
security  requirements. 

(4)  JIM  networks.  JIM  networks  that  have  NETCOM/9th  SC  (A)  provided  connectivity  will  implement  the  most 
restrictive  and  isolating  configuration  and  implementation  management  principles  (inclusive  of,  but  not  limited  to, 
separate  enclaves  and  identifications,  and  tunneled  or  dedicated  connectivity)  to  those  that  are  absolutely  required  for 
military  or  support  operations  as  necessary  and  in  compliance  with  IA  requirements  in  this  and  other  applicable 
regulations.  In  order  to  be  entirely  separate,  JIM  networks  must  not — 

(a)  Utilize  Army  IP  numbering  for  their  end  users,  servers  or  network  devices. 

(b)  Utilize  army.mil  as  their  logical  extension. 

(c)  Connect  to  any  local  Army  network  on  Army  installations. 

(d)  Require  Army  network  and  systems  management,  systems  administration,  or  maintenance  and  repair  support  as  a 
standard  level  of  service. 

(e)  Require  Army  to  provide  security  oversight,  management,  or  services  from  the  Army  as  a  standard  level  of 
service. 

(f)  Report  IAVM  compliance  through  Army  channels. 

(g)  Receive  Army  funding  for  implementation  at  the  location. 

c.  Restrictions.  Supervisors  and  managers  will — 

(1)  Ensure  transmission  of  classified  or  sensitive  information  via  applicable  secure  means. 

(2)  Authorize  commercial  ISP  accounts  per  chapter  6,  AR  25-1. 

(3)  Ensure  there  are  no  cross-connections  directly  between  the  Internet  and  NIPRNET  of  ISs.  For  example  do  not 
permit  a  modem  connection  (for  example,  multi-functional  devices  such  as  copier/fax/printer  combinations)  to  a 
commercial  ISP  or  service  while  the  IS  is  also  connected  to  the  NIPRNET.  NIPRNET  connected  systems  will  have  this 
function  disabled. 

(4)  Permit  direct  connections  to  the  Internet  to  support  electronic  commerce  when  those  systems  will  not  connect  to 
the  NIPRNET  or  the  SIPRNET. 

d.  Security  protection  between  enclaves,  (that  portion  of  the  network  outside  the  installation’s  or  activity’s  controls). 
Commanders  and  IA  Personnel  will  utilize  the  following  processes  on  routers,  switches,  firewalls,  and  other  networking 
devices  to  provide  protection  from  external  networks. 

(1)  Firewalls.  Configure  firewalls  with  least-privilege  access  controls.  Layer  firewalls  at  the  boundaries  between 
border  and  external  networks  and  as  needed  throughout  the  architecture  to  improve  the  level  of  assurance.  NETCOM/ 
9th  SC  (A)  will  approve  firewall  implementation  guidance  for  use  within  the  Army.  Every  information  system  should 
be  protected  by  either  an  approved  host-based  or  network-based  (enclave)  firewall. 

(2)  Access  control  lists.  Update  and  manage  access  control  lists  (ACLs)  through  secure  mechanisms  and  incorporate 
a  “deny  all,  permit  by  exception”  (DAPE)  policy  enforcement. 

(3)  Network  configurations.  IA  personnel  will  implement  network  configurations  to  remove  or  block  any  unneces¬ 
sary  or  unauthorized  services,  software,  protocols,  and  applications  such  as:  LanMan,  gaming  software,  Gnutella,  IRC, 
ICQ,  Instant  Messaging,  peer-to-peer. 

(4)  Ports,  Protocols,  and  Services  Management  (PPSM).  Permit  only  ports,  protocols,  and  services  (PPS)  as 
authorized.  The  Commander  and  network  management  personnel  will: 

(a)  Restrict  enterprise  and  enclave  boundary  firewalls  and  firewall-like  devices  to  the  usage  of  approved  PPS  in 
accordance  with  the  DODI  8551.1  on  PPSM.  DOD  considers  PPSs  not  listed  on  the  DOD  PPS  TAG  list  as  “deny  by 
default.” 

(b)  PPSs  designated  as  “high-risk”  are  unacceptable  for  routine  use.  Prohibit  high-risk  PPSs  unless  expressly 
approved  for  a  specific  implementation  with  defined  conditions  and  risk  mitigation  strategies. 

(c)  PPSs  designated  as  “medium-risk”  have  an  acceptable  level  of  risk  for  routine  use  when  used  with  required 
mitigation  strategies. 

(d)  PPSs  designated  as  “low-risk”  are  recommended  as  best  security  practices  and  advocated  for  use  by  Army 
developers  in  future  systems  and  applications.  Not  all  low-risk  PPSs  are  acceptable  under  all  implementations  and  may 
require  approval. 

(e)  The  goal  of  NETCOM/9th  SC  (A)  is  the  migration  systems  that  use  high-  and  medium-risk  PPSs  to  low-risk 
PPSs  as  part  of  its  life  cycle  management  processes  through  system  redesign  while  maintaining  current  standards-based 
applications  and  requirements  (for  example,  port  21  for  ftp,  port  80  for  Web). 
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(j)  NETC0M/9th  SC  (A)  is  responsible  for  PPS  management  and  will  approve  and  publish  Armywide  mitigation 
strategies  for  PPSs. 

(5)  Domain  name  service  (DNS).  TNOSCs  will  monitor  DNS  servers  for  compliance  and  adherence  to  DNS 
policies.  Owning  organizations  will  provide  host-based  intrusion  detection  monitoring  for  these  servers. 

(6)  Virtual  private  networks  (VPNs).  Virtual  private  networks  will  require  approval  to  connect  and  operate  from  the 
RCIO  using  NETCOM/9th  SC  (A)  CCB-approved  and  published  implementation  processes  (when  implemented)  after 
documenting  a  well-defined  acceptable  use  policy,  security  concept  of  operations,  an  SSAA  risk  analysis  and  manage¬ 
ment  plan,  and  Networthiness  certification,  before  implementation. 

(7)  Storage  area  configurations.  As  developing  technologies  (for  example,  storage  area  networks,  collaborative 
environments,  data  sharing  technologies,  web-casting,  or  real/near-real  time  distribution  capabilities)  are  implemented, 
they  must  incorporate  secure  IA  principles.  Minimum  requirements  include,  but  are  not  limited  to  the  listed  below 
requirements.  Network  management  personnel  will — 

(a)  Obtain  approval  for  C&A,  CAP,  and  Networthiness. 

(b)  Use  approved  NETCOM/9th  SC  (A)  configuration-management  implemented  processes. 

(c)  Secure  the  information  at  rest  and  in  transit  and  ensure  that  the  configuration  does  not  introduce  additional  risks 
or  vulnerabilities. 

(d)  Use  secure  communication  and  access  protocols. 

(e)  Implement  security  controls  and  validate  all  user  supplied  input. 

(f)  Implement  extranet  connections  through  a  multi-tiered  and  layered  approach  requiring  separate  and  distinct 
servers  across  the  environment  for  each  tier,  and  minimally  include — 

1.  User  access  tier,  usually  through  a  Web  site  that  offers  static  pages  and  will  be  SSL  enabled  as  a  minimum. 

2.  Application  tier,  authenticates  authorized  users,  access,  and  interfaces  between  the  user  and  the  data. 

3.  Protection  of  the  database  or  data  tier  (for  example,  flat  files,  e-mail),  information  that  is  accessed  by  the 
application  on  behalf  of  the  user. 

(g)  Incorporate  firewalls,  filtering,  protective,  and  monitoring  devices  (for  example,  IPSs,  IDSs)  at  each  enclave 
layer. 

(h)  Employ  encryption,  single-sign-on,  tokens,  or  DOD  authorized  digital  certificates  equivalent  to  the  level  of  data 
accessed  or  available  and  adequately  passed  through  the  application  server  to  access  the  data  requested. 

(i)  Employ  data  separation  and  authentication  “need  to  know”  measures  and  requirements. 

e.  Protection  of  internal  networks,  (portion  of  the  network  that  is  directly  controlled  by  the  installation  or  activity). 
Network  management  personnel  will: 

(1)  Establish  trusts  in  accordance  with  the  installation  C&A.  There  will  be  no  trusted  relationships  established  with 
any  other  domains  or  networks  until  both  are  Networthiness  certified  and  approved  by  the  respective  DAAs  and 
documented  in  the  C&A  package. 

(a)  The  DAAs  of  the  participating  ISs  and  the  DAA  of  the  overall  network  (if  designated)  will  sign  a  Memorandum 
of  Understanding  (MOU).  The  MOU  becomes  an  artifact  to  the  C&A  package. 

(b)  The  DAA’s  approval  will  include  a  description  of  the  classification  and  categories  of  information  that  can  be 
sent  over  the  respective  networks. 

(2)  Connection  between  accredited  ISs  must  be  consistent  with  the  confidentiality  level  and  any  other  restrictions 
imposed  by  the  accredited  ISs.  Unless  the  IS  is  accredited  for  multilevel  operations  and  can  reliably  separate  and  label 
data,  the  IS  is  assumed  to  be  transmitting  the  highest  level  of  data  present  on  the  system  during  network  connection. 

(3)  Employ  identification,  authentication,  and  encryption  technologies  when  accessing  network  devices. 

(4)  Employ  layered  protective,  filtering,  and  monitoring  devices  (for  example,  firewalls,  IDSs)  at  enclave  bounda¬ 
ries,  managed  access  points,  and  key  connection  points. 

(5)  Scan  all  installation  assets  and  devices,  implement  protective  measures,  and  report  non-compliance  to  RCIOs/ 
FClOs  as  required  (minimum  is  semi-annual). 

(6)  Proxy  all  Internet  accesses  through  centrally  managed  access  points  and  isolate  from  other  DOD  or  ISs  by 
physical  or  technical  means. 

f.  E-mail  security.  All  personnel  will  use  e-mail  systems  for  transmission  of  communications  equivalent  to  or  less 
than  the  classification  level  of  the  IS. 

(1)  IA  personnel  will — 

(a)  Promote  security  awareness.  Train  users  to  scan  all  attachments  routinely  before  opening  or  downloading  any 
file  from  e-mail. 

(b)  Configure  ISs  to  use  encryption  when  available  or  as  part  of  the  global  enterprise  to  secure  the  content  of  the  e- 
mail  to  meet  the  protection  requirements  of  the  data. 

(c)  Implement  physical  security  measures  for  any  information  media  and  servers. 

(d)  Install  and  configure  antiviral  and  protective  software  on  e-mail  servers  and  client  workstations. 


40 

ManningB_00016275 


AR  25-2  •  24  October  2007 


J 


(e)  Warn  users  to  treat  unusual  e-mail  messages  the  same  way  they  treat  unsolicited  or  unusual  parcels;  with 
caution. 

(/)  Use  digital  signatures  to  authenticate  a  message  as  needed  (non-repudiation). 

(g)  Configure  ISs  to  prevent  opening  attachments  or  executing  active  code  directly  from  mail  applications. 

(2)  Personnel  will  not  share  their  personally  assigned  e-mail  accounts. 

(3)  Commanders  and  Directors  may  allow  the  limited  use  of  organizational  or  group  e-mail  accounts  where 
operationally  warranted. 

(4)  E-mail  passwords  will  differ  from  the  network  password  when  used,  until  a  global  PKI  initiative  is  available. 

(5)  All  personnel  will  employ  Government  owned  or  provided  e-mail  systems  or  devices  for  official  communica¬ 
tions.  The  use  of  commercial  ISP  or  e-mail  accounts  for  official  purposes  is  prohibited. 

(6)  Auto-forwarding  of  official  mail  to  non-official  accounts  or  devices  is  prohibited. 

(7)  Permit  communications  to  vendors  or  contractors  for  official  business  and  implement  encryption  and  control 
measures  appropriate  for  the  sensitivity  of  the  information  transmitted. 

(8)  IA  Personnel  will  configure  systems  so  that  authorized  users  who  are  contractors,  DOD  direct  or  indirect  hires, 
FNs,  foreign  representatives,  seasonal  or  temporary  hires,  and  volunteers  have  their  respective  affiliations  or  positions 
displayed  as  part  of  their  official  accounts  and  e-mail  addresses. 

g.  Internet,  Intranet,  Extranet,  and  WWW  security. 

(1)  AR  25-1  outlines  requirements  and  policy  on  the  use  of  Government-owned  or  leased  computers  for  access  to 
the  Internet. 

(2)  Users  are  authorized  to  download  programs,  graphics,  and  textual  information  to  a  Government-owned  IS  as 
long  as  doing  so  does  not  violate  Federal  and  state  law,  regulations,  acceptable  use,  and  local  policies  (for  example, 
CM,  IA). 

(3)  Government-owned  or  leased  ISs  will  not  use  commercial  ISPs  (for  example,  CompuServe,  America  on  Line, 
Prodigy)  as  service  providers,  unless  a  Government-acquired  subscription  to  such  services  is  in  place  and  the  access  is 
for  official  business  or  meets  the  criteria  for  authorized  personal  use  as  indicated  in  AR  25-1,  paragraph  6-1. 

(4)  Network  management  and  IA  personnel  will  implement  appropriate  access,  filtering,  and  security  controls  (for 
example,  firewalls,  restriction  by  IP  address). 

(5)  Network  management  and  IA  personnel  will  implement  and  enforce  local  area  management  access  and  security 
controls.  Publicly  accessible  web  sites  will  not  be  installed  or  run  under  a  privileged-level  account  on  any  web  server. 
Non-public  web  servers  will  be  similarly  configured  unless  operationally  required  to  run  as  a  privileged  account,  and 
appropriate  risk  mitigation  procedures  have  been  implemented. 

(6)  Commercial  ISP  services  are  authorized  to  support  those  organizations  identified  in  paragraph  4-206(2),  above, 
and  no  cross  or  direct  connectivity  to  the  N1PRNET  will  exist  or  be  implemented. 

(7)  All  personnel  will  protect  information  not  authorized  to  be  released  for  public  disclosure. 

(8)  Extranet  and  intranet  servers  will  provide  adequate  encryption  and  user  authentication. 

(9)  Extranet  servers  and  access  will  be  approved  through  the  installation  IAM,  documented  in  the  C&A  package, 
and  approved  by  the  appropriate  DAA. 

(10)  Network  managers  and  I A  personnel  will  configure  all  servers  (including  Web  servers)  that  are  connected  to 
publicly  accessible  computer  networks  such  as  the  Internet,  or  protected  networks  such  as  the  SIPRNET,  to  employ 
access  and  security  controls  (for  example,  firewalls,  routers,  host-based  IDSs)  to  ensure  the  integrity,  confidentiality, 
accessibility,  and  availability  of  DOD  ISs  and  data. 

(11)  Commanders  and  supervisors  will  comply  with  Federal,  DOD,  and  DA  Web  site  administration  policies  and 
implementing  content-approval  procedures  that  include  OPSEC  and  PAO  reviews  before  updating  or  posting  informa¬ 
tion  on  all  Web  sites. 

(12)  Network  managers  and  IA  personnel  will  protect  publicly  accessible  Army  Web  sites  by  placing  them  behind 
an  Army  reverse  Web  proxy  server.  The  reverse  proxy  server  acts  as  a  proxy  from  the  intranet  to  the  protected  server, 
brokering  service  requests  on  behalf  of  the  external  user  or  server.  This  use  of  a  reverse  proxy  server  provides  a  layer 
of  protection  against  Web  page  defacements  by  preventing  direct  connections  to  Army  Web  servers. 

(13)  Publicly  accessible  Web  sites  not  protected  behind  a  reverse  Web  proxy  (until  moved)  will  be  on  a  dedicated 
server  in  a  DMZ,  with  all  unnecessary  services,  processes,  or  protocols  disabled  or  removed.  Remove  all  sample  or 
tutorial  applications,  or  portions  thereof,  from  the  operational  server.  Supporting  RCERTs  and  TNOSCs  will  conduct 
periodic  vulnerability  assessments  on  all  public  servers  and  may  direct  blocking  of  the  site  dependent  on  the  inherent 
risk  of  identified  vulnerabilities.  Commanders  or  assigned  IAMs  will  correct  identified  deficiencies. 

(14)  All  private  (non-public)  Army  Web  sites  that  restrict  access  with  password  protection  or  specific  address 
filtering  will  implement  SSL  protocols  utilizing  a  Class  3  DOD  PKI  certificate  as  a  minimum.  NETCOM/9th  SC  (A) 
issues  and  manages  these  certificates. 

(15)  Commanders  will  conduct  annual  OPSEC  reviews  of  all  organizational  Web  sites  and  include  these  results  in 
their  annual  OPSEC  reports  pursuant  to  AR  530-1. 

(16)  To  verify  compliance  with  Federal,  DOD,  and  DA  Web  site  administration  policies,  procedures,  and  best 


41 


ManningB_0001 6276 


AR  25-2  •  24  October  2007 


o 


o 


practices,  the  AWRAC  will  continuously  review  the  content  of  publicly  accessible  U.S.  Army  Web  sites  to  ensure 
compliance.  (See  also  AR  25-1  for  Web  site  administrative  policies.)  AWRAC  will  provide  results  from  these 
assessments  to  commanders  for  corrective  actions. 

h.  Approved  keyboard,  video,  mouse  (KVM)  (keyboard,  monitor,  mouse  (KMM))  switches.  These  devices  are 
primarily  introduced  to  achieve  a  reduction  of  hardware  on  the  desktop  and  do  not  provide  any  IA  features. 

(1)  These  devices  are  not  authorized  for  use  for  cross-domain  interoperability  (NIPRNET-to-SIPRNET  or 
SIPRNET-to-NIPRNET  guarding  solution)  network  connections.  See  BBPs  documentation  on  the  ClO/G-6  IA  Web 
site  for  approved  items  and  implementation  guidelines  (https://informationassurance.us.army.mil). 

(2)  IA  personnel  will  configure  systems  to  utilize  screen-saver  lockout  mechanisms  for  KVM/KMM  switch  environ¬ 
ments  approved  by  the  DA  A. 

i.  Information  assurance  tools.  All  personnel  will  use  only  IA  security  software  listed  on  the  IA  tools  list  on  Army 
systems  and  networks.  The  list  of  Army  approved  IA  tools  is  available  through  the  IA  Web  site.  Requests  for 
consideration  and  approval  for  additional  security  software  packages  to  be  added  to  the  IA  tools  list  must  be  submitted 
through  NETC0M/9th  SC  (A)  channels  ATTN:  NETC-EST-I,  ATTN:  OIA&C  to  CIO/G-6. 

(1)  Installation  I  AM-designated  and  Army-certified  IA  personnel  may  conduct  tests  under  stringent  conditions 
coordinated  with  the  installation  D01M,  IAM,  TNOSC,  and  RCERT,  at  a  minimum. 

(2)  RCIO  IAPM  approval,  and  advance  notification  of  the  servicing  RCERT  and  TNOSC,  is  required  before 
certified  IA  personnel  may  utilize  public  domain  vulnerability  assessment  tools  (for  example,  Nessus,  Nmap,  Saint,  or 
Titan). 

(3)  Organizational  IA  personnel  are  prohibited  from  conducting  penetration  testing  attempts  on  ISs  utilizing 
unauthorized  hacker  tools  or  techniques.  This  restriction  is  applicable  to  operational  networks  and  does  not  apply  to 
those  personnel  or  techniques  used  in  a  testing  environment  for  C&A,  vulnerability  assessments  of  developmental 
systems,  or  used  in  a  training  environment  for  personnel  certifications  on  isolated  networks. 

(4)  Organizational  IAMs  can  request  penetration  testing  of  their  networks.  Subordinate  organizations  may  request 
penetration  testing  through  their  ACOM/ASCC  IAM  to  the  installation  IAM. 

(5)  The  use  of  “keystroke  monitoring”  software  of  any  kind  is  prohibited,  except  by  LE/CI  personnel  acting 
within  proper  legal  authority. 

j.  Networking  security  tools.  The  following  policies  apply  to  networking  security  tools  used  on  ISs: 

(1)  Establish  a  security  and  implementation  policy  for  each  protection  tool  before  purchase  and  implementation. 

(2)  Implement  security  tools  within  the  security  perimeter  defensive  architecture  with  NETC0M/9th  SC  (A) 
approval. 

(3)  Limit  login  access  to  internetworking  devices  to  those  individuals  who  operate  and  maintain  those  devices. 

(4)  Review  configuration  and  audit  files  of  security  internetworking  tools  weekly. 

(5)  The  NETCOM/9th  SC  (A),  in  coordination  with  CIO/G-6  and  the  ACERT,  operates  detection  and  protection 
devices  for  networks  connected  to  the  NIPRNET.  Although  NETC0M/9th  SC  (A)  owns,  operates,  and  maintains  the 
enterprise  devices,  this  does  not  preclude  the  Command,  DOIM,  or  activity  IA  personnel  from  managing  and  analyzing 
local  networks  or  data.  Local  management  of  an  IDS/IPS  is  recommended  with  notification  to  the  DOIM  and/or 
TNOSC.  The  notification  will  document  the  operational  requirement,  the  intent  of  monitoring,  and  the  device  utilized. 
Staff  the  notification  to  the  RCIO  IAPM  and  submit  to  the  supporting  DOIM  and  RCERT/TNOSC.  The  requesting 
activity  is  responsible  for  providing  the  hardware  and  software  necessary.  All  independent  installations  of  IDS/IPS 
technologies  will  be  configured  to  also  support  enterprise  sensing  and  warning  management  activities.  Coordinate  the 
configuration  and  reporting  requirements  with  the  supporting  RCERT/TNOSC. 

k.  Tactical  systems. 

(1)  Tactical  systems,  including  weapon  system  and  devices  integral  to  weapon  or  weapon  support  systems,  that 
include  features  normally  associated  with  an  IS  will  implement  the  requirements  of  this  regulation,  DODI  8500.2,  and 
Interim  DIACAP. 

(2)  When  one  or  more  of  the  minimum-security  requirements  are  impractical  or  adversely  impose  risk  of  safety-of- 
use  because  of  the  function  and  design  of  the  system,  the  situation  will  be  addressed  in  the  C&A  package  and 
considered  by  the  CA  and  the  DAA  in  determining  the  CA  recommendation  and  the  DAA  authorization  decision. 

(3)  Mechanisms  must  be  available  to  render  the  IS  inoperable  in  case  of  imminent  capture  by  hostile  forces. 

(4)  Tactical  networks  connecting  to  standard  tactical  entry  point  (STEP)  sites,  garrison,  or  other  fixed  networks  must 
be  compliant  with  all  security  requirements  (for  example,  configurations,  approved  software,  C&A)  before  connection. 
They  will  be  protected  by  access  controls  and  intrusion  prevention  and  intrusion  detection  systems  in  the  same  manner 
as  garrison  network  defenses  described  earlier  and  will  implement  a  DiD  strategy. 
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Section  VIII 

Incident  and  Intrusion  Reporting 

4-21.  Information  system  incident  and  intrusion  reporting 

Incidents  may  result  from  accidental  or  deliberate  actions  on  the  part  of  a  user  or  external  influence.  Evidence  or 
suspicion  of  an  incident,  intrusion,  or  criminal  activity  will  be  treated  with  care,  and  the  IS  maintained  without  change, 
pending  coordination  with  IA,  ACERT/RCERT,  and  LE/CI  personnel.  Commanders  and  IA  personnel  will  enforce  the 
policies  governing  unauthorized  use  of  computer  resources.  All  personnel  will  report  all  potential  or  malicious 
incidents.  Time-sensitive  actions  are  necessary  to  limit  the  amount  of  damage  or  access.  Commanders  and  IA  personnel 
will  report  IS  incidents  to  external  agencies  to  assist  LE  or  investigative  agencies,  and  assist  in  compiling  supporting 
evidence,  impact  assessments,  associated  costs,  containment  viability,  and  eradication  and  reconstruction  measures  to 
effectively  manage  the  breach  and  provide  evidentiary  material  for  prosecution. 

a.  All  personnel  will  protect  IS  incident  reports  as  a  minimum  FOUO  or  to  the  level  for  which  the  system  is 
accredited. 

b.  IA  personnel  will  validate  IS  incident  reporting  procedures  annually  for  all  users. 

c.  All  personnel  will  report  IS  incidents  or  events  including,  but  not  limited  to — 

(1)  Known  or  suspected  intrusion  or  access  by  an  unauthorized  individual. 

(2)  Authorized  user  attempting  to  circumvent  security  procedures  or  elevate  access  privileges. 

(3)  Unexplained  modifications  of  files,  software,  or  programs. 

(4)  Unexplained  or  erratic  IS  system  responses. 

(5)  Presence  of  suspicious  files,  shortcuts,  or  programs. 

(6)  Malicious  logic  infection  (for  example,  virus,  worm,  Trojan). 

(7)  Receipt  of  suspicious  e-mail  attachments,  files,  or  links. 

(8)  Spillage  incidents  or  violations  of  published  BBP  procedures. 

d.  A  serious  incident  report  (SIR)  will  be  generated  and  reported  per  AR  1 90-45  under  the  following  conditions — 

(1)  The  incident  poses  grave  danger  to  the  Army’s  ability  to  conduct  established  information  operations. 

(2)  Adverse  effects  on  the  Army’s  image  such  as  Web  page  defacements. 

(3)  Access  or  compromise  of  classified,  sensitive,  or  protected  information  (for  example,  Soldier  identification 
information  (SSN),  medical  condition  or  status,  doctor-patient,  or  attorney-client  privilege). 

(4)  Compromise  originating  from  a  foreign  source. 

(5)  Compromise  of  systems  that  may  risk  safety,  life,  limb,  or  has  the  potential  for  catastrophic  effects,  or  contain 
information  for  which  the  Army  is  attributable  (for  example,  publicly  accessible  waterways  navigational  safety 
information  from  the  USACE). 

(6)  Loss  of  any  IS  or  media  containing  protected  or  classified  information. 

4-22.  Reporting  responsibilities 

a.  An  individual  who  suspects  or  observes  an  unusual  or  obvious  incident  or  occurrence  will  cease  all  activities  and 
will  notify  his  or  her  SA/NA,  IASO,  or  IAM  immediately. 

b.  If  the  SA/NA,  IASO,  or  IAM  is  not  available,  the  individual  will  contact  his  or  her  supporting  installation  IAM 
and  theater  RCERT. 

c.  Any  SA/NA,  IASO,  or  IAM  who  observes  or  suspects  an  incident  or  intrusion,  or  receives  information  on  an 
incident,  will  logically  isolate  the  system,  prohibit  any  additional  activities  on  or  to  the  system,  and  immediately  notify 
his  or  her  supporting  RCERT/TNOSC.  Take  no  additional  actions  to  investigate  the  incident  until  directed  by  the 
RCERT. 

d.  Isolation  includes  physical  isolation  (unplugging  the  network  connection),  restricting  any  direct  physical  access, 
and  logical  isolation  (blocking  the  IP  at  security  routers  or  firewalls  both  inbound  and  outbound)  from  the  network  to 
the  system. 

e.  If  the  RCERT  is  not  available  then  the  SA  or  IASO  will  contact  the  ACERT  directly.  In  addition,  report  per  local 
supervisory  reporting  policies  in  effect. 

/  Each  RCERT  is  responsible  for  collecting  and  recording  all  the  required  information,  coordinating  all  incident 
response  procedures  between  LE/CI  personnel  and  the  organization,  and  conducting  all  intrusion  containment,  eradica¬ 
tion,  and  verification  measures. 

g.  The  IS  incident  reporting  format  and  additional  reporting  requirements  are  available  on  the  ACERT  and  support¬ 
ing  RCERT  NIPRNET/SIPRNET  Web  sites. 

4-23.  Compromised  information  systems  guidance 

a.  When  directed  by  RCERT,  all  ISs  determined  to  be  compromised  either  through  unauthorized  access  or  malicious 
logic  will  be  rebuilt  from  original  media,  patched,  and  scanned  for  compliance  before  reintroduction  to  the  network. 

b.  IA  personnel  will  scan  all  similar  ISs  or  devices  on  the  compromised  network  for  configuration  compliance  or 
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vulnerability  identification  and  immediately  correct  vulnerable  systems.  If  during  the  course  of  this  assessment 
additional  ISs  are  identified  as  compromised,  IA  personnel  will  report  these  system  as  compromised  and  take  no  further 
action. 

c.  Networks  may  require  re-accreditation,  under  the  DIACAP,  following  any  successful  compromise. 

d.  Specific  details  and  actions  for  a  compromised  system  are  available  on  the  ACERT  Web  site. 

Section  IX 

Information  Assurance  Vulnerability  Management 

4-24.  Information  assurance  vulnerability  management  reporting  process 

a.  General.  The  Information  Assurance  Vulnerability  Management  (IAVM)  Program  is  the  absolute  minimum 
standard  for  all  ISs,  not  the  preferred  end  state  which  is  a  proactive  methodology  of  maintaining,  patching,  and 
updating  systems  before  notification  or  exploitation.  IAVM  requires  the  completion  of  four  distinct  phases  to  ensure 
compliance.  These  phases  are — 

(1)  Vulnerability  identification,  dissemination,  and  acknowledgement. 

(2)  Application  of  measures  to  affected  systems  to  make  them  compliant. 

(3)  Compliance  reporting. 

(4)  Compliance  verification. 

b.  Responsibilities.  The  CIO/G-6  will  be  the  POC  to  acknowledge  receipt  (within  five  days)  of  DOD  CERT  issued 
IAVM  messages,  aggregate  compliance  and  waiver  data,  and  report  (within  30  days  or  as  directed)  to  DOD.  Systems 
and  processes  for  collecting  detailed  information  and  for  implementing  IAVM  are  the  responsibility  of  every  IA 
person. 

c.  Army  implementation  of  IAVM.  ACERT/A-GNOSC  will  serve  as  the  Army’s  focal  point  for  initiation  of  the 
IAVM  process. 

(1)  Vulnerability  identification,  dissemination,  and  acknowledgment.  ACERT/A-GNOSC  will  issue  Army  IAVM 
messages.  There  are  three  types  of  DOD  IAVM  messages:  alert  (IAVA),  bulletin  (IAVB),  and  Technical  Advisory 
(TA).  DOD  has  restricted  the  use  of  these  terms  to  the  IAVM  program  only. 

(a)  IAVAs  will  establish  mandatory  suspense  dates  for  acknowledgement  and  compliance,  corrective  actions  to 
negate  vulnerabilities,  and  implementation  of  additional  CND  requirements. 

(b)  lAVBs  will  establish  mandatory  suspense  dates  for  acknowledgement  yet  allow  commanders  and  IA  personnel 
flexibility  for  implementation  of  the  corrective  actions  to  negate  vulnerabilities  or  implementation  of  CND  require¬ 
ments.  Corrective  actions  are  required  to  be  completed,  but  not  reported. 

(c)  Information  Assurance  Technical  Tips  (IATTs)  (Army  designation)  allow  commanders  and  IA  personnel  flexibil¬ 
ity  for  acknowledgement  and  implementation  to  negate  vulnerabilities  or  implement  CND  requirements.  Acknowledge¬ 
ment  and  compliance  are  not  reported.  Corrective  actions  are  required  to  be  completed  but  not  reported. 

(d)  All  personnel  responsible  for  implementing  the  IAVM  process  will  join  the  Army  IAVM  Community  Group  on 
AKO  to  receive  messages.  Use  only  official  e-mail  accounts  for  this  distribution  list.  IAVM  messages  are  available  on 
the  asset  and  vulnerability  tracking  resource  (A&VTR)  Web  site. 

(2)  IAVM  compliance.  Commanders,  PEOs,  PMs,  and  designated  IA  officers  will  disseminate  implementation 
guidance  and  ensure  compliance  to  IAVM  requirements.  Commanders  or  IA  personnel  will  provide  contractors, 
contracted  support,  or  other  personnel  (as  necessary)  IAVM  information  as  required  to  support  compliance 
requirements. 

4-25.  Compliance  reporting 

a.  The  RCIOs,  ACOMs/ASCCs/DRUs  commanders,  PEOs,  PMs  (or  their  IA  officers),  and  garrison  commanders 
will  ensure  that  messages  are  acknowledged,  corrective  actions  are  implemented,  extensions  are  requested,  compliance 
is  verified,  and  reporting  information  is  entered  into  A&VTR.  Within  10  calendar  days  from  the  date  of  the  IAVM 
message,  SA/NAs  will  conduct  a  baseline  assessment  scan  for  affected  assets  and  enter  identified  assets  into  A&VTR. 
RCIOs  will  oversee  IAVM  compliance  reporting  for  their  regions  or  commands. 

b.  PEOs  and  PMs  will  implement  corrective  actions  for  IAVM  vulnerabilities  that  apply  to  systems  under  their 
control.  Tactical  systems  will  document  compliance  methodology  in  a  classified  Scorecard  and  POA&M  as  part  of 
their  C&A  package.  DAAs  will  resolve  compliance  issues  where  it  may  result  in  safety  or  performance  issues  of  a 
combat  system  that  are  operationally  unacceptable. 

c.  If  corrective  actions  required  by  issued  alerts  adversely  affect  operations,  IAMs  or  their  designated  representatives 
(for  example,  affected  SAs  or  lANMs)  will  conduct  a  risk  assessment  for  the  commander  and  contact  their  supporting 
RCIO,  IAPM,  or  IAM.  The  RCIO,  IAPM,  or  IAM  will  contact  the  CIO/G-6  through  ACERT/  NETCOM/9th  SC  (A)  to 
request  an  extension,  not  to  exceed  180  days,  and  to  develop  and  implement  an  acceptable  alternative  security  solution. 
The  alternative  security  solutions  must  be  coordinated  with  the  ACERT/  NETCOM/9th  SC  (A)  before  approval  by  the 
appropriate  DAA.  This  extension  request  will  include  risk  mitigation  steps  taken  to  reduce  or  eliminate  the  IAVM- 
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identified  risks  until  an  acceptable  solution  is  implemented.  The  extension  request  will  include  a  POA&M  (get  well 
plan)  to  be  considered  in  the  CA  risk  determination. 

d.  IAVM  compliance  reporting  will  be  accomplished  through  the  Army’s  A&VTR.  To  meet  DOD  requirements, 
register  specific  system/asset  owners  and  SAs,  including  applicable  electronic  addresses,  in  A&VTR. 

e.  All  IAVM  compliance  reporting  of  classified,  tactical,  or  operationally  sensitive  ISs  will  be  through  the  A&VTR 
when  located  on  the  SIPRNET. 

4-26.  Compliance  verification 

JAVA  Compliance  Verification  Teams  (CVTs)  will  conduct  short-notice  inspections  of  randomly  selected  units  to 
verify  compliance  with  IAVM  messages. 

a.  Membership  in  the  CVT  may  include  a  ClO/G-6  Team  Chief;  a  vulnerability  scan  technician;  U  S.  Army  Audit 
Agency  representatives,  operating  under  AR  36-2  and  AR  36-5;  and  U.S.  Army  Criminal  Investigation  Command 
representatives  operating  under  AR  195-2. 

b.  In  addition  to  reporting  requirements  under  AR  36-2,  AR  36-5,  and  AR  195-2,  the  CVT  will  report  to  the 
inspected  unit,  the  CIO/G-6,  and  the  Senior  Army  Leadership.  The  ClO/G-6  will  provide  a  copy  to  the  appropriate 
ACOM,  ASCC,  PEO,  and  PM  CIOs. 

c.  Findings  require  a  reply  by  endorsement  on  the  corrective  actions  taken  by  the  inspected  command. 

4-27.  Operating  noncompliant  information  system 

Commanders,  organization  directors  and  responsible  individuals  for  example;  DAAs,  IAPMs,  or  IAMs,  will  operate 
noncompliant  assets  only  with  an  approved  Mitigation  Action  Plan  (MAP)  and  POA&M.  MAPs  are  temporary 
measures  approved  to  permit  additional  time  or  develop  solutions  to  bring  noncompliant  assets  into  compliance.  The 
POA&M  identifies  the  get  well  plan  including  the  schedule.  Noncompliant  assets  without  an  approved  MAP  will  be 
disconnected,  blocked,  or  otherwise  have  the  vulnerability  mitigated.  Organizations  and  individuals  operating  noncom¬ 
pliant  assets  are  accepting  risks,  accountability,  and  responsibility  for  internal  and  external  impacts  to  the  network  in 
the  event  the  system  is  compromised  or  the  vulnerability  is  exploited. 

a.  Establish  a  capability  to  implement  or  effectively  mitigate  the  risk  posed  by  critical  vulnerabilities  as  identified  in 
IAVA  notifications. 

b.  MAPs  will  address  specific  actions  taken  to  mitigate  risks  identified  in  IAVA  messages. 

c.  MAPs  are  tracked  in  A&VTR  Database.  Approvals  and  denials  are  granted  at  the  appropriate  DAA,  DOIM, 
ACERT/A-GNOSC,  and  HQDA  levels,  and  in  some  instances  approvals  are  reserved  only  for  the  DCS,  G-3/5/7. 

d.  MAPs  focus  on  systems  not  able  to  comply  within  the  period  specified  in  the  IAVA  notification  message. 
Organizations  will  first  use  all  their  available  resources  to  ensure  vulnerable  systems  are  patched  before  requesting 
extensions.  MAPs  will  reflect  a  detailed  reason,  operational  impact  statement,  efforts  to  bring  the  systems  into 
compliance,  and  a  mitigation  strategy. 

e.  First  MAP  requests;  The  DAA  for  the  1CAN  may  approve  MAPs  up  to  30  days  from  the  compliance  date  on  the 
IAVA  message  and  includes  the  number  of  impacted  systems  not  able  to  comply  within  period  specified  in  the 
notification  message.  The  First  MAP  begins  the  day  after  the  original  IAVA  compliance  suspense  and  is  valid  for  up  to 
30  days.  Approval  will  be  based  on  a  sound  MAP  that  minimizes  the  risk  of  compromise  to  Army  networks. 

/  Second  MAP  requests:  This  MAP  will  be  valid  up  to  60  days  after  the  end  date  of  the  local  DAA  approved  30- 
days  and  will  reflect  the  number  of  remaining  systems  not  able  to  comply  after  the  30-day  approval  from  the  local 
DAA.  The  Director,  NETCOM  Office  of  Information  Assurance  and  Compliance  (OlA&C),  approves  second  MAPs 
with  ACERT/A-GNOSC  A2TAG  recommendations. 

g.  Third  MAP  requests:  The  CIO/G-6  approves  third  MAPs.  They  are  reserved  for  rare  cases  where  circumstances 
have  prevented  compliance  with  an  IAVA  during  the  timelines  for  first  or  second  MAPs,  to  include  mission  required 
legacy  systems.  Third  MAPs  begin  the  day  after  the  second  MAP  ends  and  runs  for  a  period  directed  by  the  approval 
authority,  for  a  maximum  of  2  years. 

h.  The  A&VTR  keeps  a  history  file  of  all  MAP  actions.  Open  MAPs  will  be  reviewed  and  revalidated  within 
A&VTR. 

i.  If  an  IAVA  message  states:  DCS,  G-3/5/7  approval  only,  then  the  MAP  can  only  be  approved  by  the  DCS,  G-3/ 
5/7  with  recommendations  accepted  from  the  local  DAA,  the  NETCOM  OIA&C  Director,  and  the  CIO/G-6. 

Section  X 

Miscellaneous  Provisions 

4-28.  Vulnerability  and  asset  assessment  programs 

Several  Vulnerability  Assessment  Programs  and  services  are  available  throughout  the  Army.  The  ACERT/A-GNOSC 
provides  comprehensive  support  in  the  areas  of  CND  and  IA  Vulnerability  Assessments;  the  U.S.  Communications- 
Electronics  Command  (CECOM)  provides  assessments  and  support  in  the  areas  of  platforms  and  IA  architecture;  the 


45 


ManningB_00016280 


AR  25-2  •  24  October  2007 


© 


o 


Army  Research  Laboratory  (ARL)  may  provide  support  in  the  areas  of  survivability  and  lethality;  and  C1D  provides 
comprehensive  crime  prevention  surveys. 

a.  All  scans  will  be  coordinated  within  AOR  between  the  initiating  or  oversight  component  and  the  supporting 
RCERT/TNOSC. 

b.  Prohibit  scans  across  network  segments  protected  by  a  TNOSC  security  router  or  IDS,  unless  specifically 
coordinated  and  approved  by  NETCOM/9th  SC  (A). 

c.  Only  trained  or  product  certified  personnel  will  use  assessment  software. 

d.  Before  conducting  mapping  or  scanning  of  a  network,  war  dialing,  or  war  driving,  the  IAM  will  notify  the  DOIM 
and  the  servicing  RCERT/TNOSC  with  the  purpose,  start,  type  and  duration  of  the  scanning  activity. 

e.  Personnel  will  provide  a  copy  of  the  assessment  results  to  the  servicing  DOIM  and  RCERT/TNOSC. 

/  Installations  that  do  not  have  the  expertise,  requisite  certification  level,  or  resources  to  scan  their  own  networks 
may  request  an  assessment  scan  through  their  supporting  RCERT/TNOSC. 

g.  Commanders,  IA  personnel  and  network  management  personnel  will  treat  unannounced  or  unauthorized  scanning 
of  networks  as  potential  intrusions  and  report  when  detected.  Persons  conducting  unauthorized  scans  of  Army  networks 
may  be  subject  to  administrative  actions  or  criminal  prosecution. 

h.  IAMs  and  lASOs  will  establish  procedures  to  scan  their  networks  quarterly  to  identify  assets;  application, 
network,  and  operating  system  vulnerabilities;  configuration  errors;  and  points  of  unauthorized  access. 

i.  Train  all  IA  participants  on  approved  scanning  tools  and  assessors  will  sign  an  acknowledgment  of  complete 
understanding  of  the  “rules  of  engagement”  before  conducting  any  scanning  activity.  For  example — 

(1)  No  reading  of  personal  data  on  networks  while  conducting  a  vulnerability  assessment. 

(2)  No  penetration  testing. 

(3)  No  denial-of-service  attacks  or  tests. 

(4)  No  scanning  outside  local  network  enclave  borders. 

j.  Utilize  the  Do-it  Yourself  Vulnerability  Assessment  Program  (D1TY  VAP)  to  assess  configurations,  compliance, 
asset  identification,  unauthorized  connectivity,  and  security  vulnerabilities  within  local  network  enclave  borders.  DITY 
VAP  assessments  prohibit  the  use  of  data  corruption,  data  manipulation,  data  denial,  examination  of  data  content, 
denial  of  service,  or  “hacking”  and  penetration  tools  and  techniques. 

k.  Information  Operations  Vulnerability  Assessments  Division  (IOVAD)  Blue  Team  and  Red  Team  Programs.  The 
1st  10  CMD  IOVAD  offers  assessment  support  in  the  areas  of  information  management  and  security,  in  which  focused 
efforts  assess  IA  through  the  elements  of  OPSEC,  COOP,  INFOSEC,  COMSEC,  and  CND.  In  addition,  IOVAD  Red 
Teams  are  available  to  challenge  and  assess  readiness. 

/.  RCERTs  and  TNOSCs  may  conduct  no-notice  remote  scanning  across  enterprise  boundaries,  including,  but  not 
limited  to,  IAVM  support,  threat  or  asset  identification,  or  vulnerable  systems  and  services  identification,  with  or 
without  coordination  with  commanders  or  IA  personnel.  Assessment  scanning  from  authorized  external  organizations  is 
normally  conducted  from  documented  and  readily  identified  systems.  IA  personnel  will  implement  verification  proce¬ 
dures  to  validate,  but  not  hinder  or  deny,  these  scanning  activities.  RCERTs  and  TNOSCs  may  block  or  deny  access  to 
vulnerable  systems  identified  during  these  scans  until  corrections  have  been  made. 

4-29.  Portable  electronic  devices 

Portable  electronic  devices  (PEDs)  are  portable  ISs  or  devices  with  or  without  the  capability  of  wireless  or  LAN 
connectivity.  These  include,  but  are  not  limited  to,  cell  phones,  pagers,  personal  digital  assistants  (PDAs)  (for  example, 
Palm  Pilots,  Pocket  PCs),  laptops,  memory  sticks,  thumb  drives,  and  two-way  radios.  Current  technologies  (infrared, 
radio  frequency,  voice,  video,  microwave)  allow  the  inclusion  of  numerous  capabilities  within  a  single  device  and 
dramatically  increases  the  risks  associated  with  IS  and  network  access.  Management  of  these  devices  will  be  as 
follows: 

a.  PEDs  containing  wireless  communications  or  connectivity,  audio,  video,  recording,  or  transmission  capabilities 
will  be  prohibited  from  areas  where  classified  information  is  discussed  or  electronically  processed,  unless  specifically 
documented  in  the  C&A  package  and  permitted  as  an  exception  by  the  DAA  and  all  classification,  access,  and 
encryption  restrictions  are  enforced  for  the  PED  as  they  would  be  for  a  classified  device. 

b.  Implement  identification  and  authentication  measures  at  both  the  device  and  network  level  if  connectivity  is 
approved.  Voice  does  not  require  DOD  PKI  IA. 

c.  PEDs  will  support  PKI,  digital  certificates,  FIPS,  or  NSA  validated  crypto  modules  or  data  encryption  standards 
appropriate  for  the  classification  level  of  the  information  processed. 

d.  Provide  all  PED  users  with  security  awareness  training  regarding  the  physical  and  information  security  vul¬ 
nerabilities  and  policies  of  the  device. 

e.  Contractor  provided  or  owned  PEDs  (if  approved)  will  be  stated  as  mission  essential  in  contracts,  and  will  meet 
all  C&A  standards  and  are  subject  to  inspections  and  IA  requirements  as  any  other  IS. 

/  Employee  owned  PEDs  are  prohibited  for  use  in  official  communications  or  connections  to  Army  networks. 
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4-30.  Wireless  local  area  networks 

Wireless  LANs  are  extensions  of  wired  networks  and  will  implement  1A  policies  and  procedures  in  accordance  with 
this  and  other  applicable  regulations.  Non-compliant  wireless  LANs  will  have  migration  plans  documented  in 
POA&Ms,  that  ensure  the  systems  will  meet  the  minimum  requirements  of  this  policy.  The  DAA  will  consider  the 
POA&M  in  the  authorization  decision.  All  Army  organizations  and  activities  operating  wireless  local  area  networks 
(WLANs)  will  comply  with  the  following  and  as  supplemented  in  BBPs: 

a.  Pilot  and  fielded  wireless  LANs  and  PEDs  with  LAN  connectivity  will  meet  the  same  C&A  and  1A  security 
requirements  as  wired  LAN  ISs  in  accordance  with  this  regulation,  AR  380-53,  AR  25-1,  and  DOD1  8500.2. 

b.  DOlMs  and  IAMs  will  verify  the  1A  C&A  authorization  of  WLANs  that  connect  to  the  installation. 

c.  SOs  will  configure  and  install  wireless  solutions  to  preclude  backdoors. 

d.  Where  wireless  LANs  are  implemented  or  proposed,  thorough  analysis,  testing,  and  risk  assessments  must  be 
done  to  determine  the  risks  associated  with  potential  information  intercepts  or  monitoring,  TEMPEST  emanations,  and 
network  vulnerability. 

e.  The  use  of  AV  software  on  wireless-capable  ISs  and  devices  is  required. 

/  Users  will  be  authenticated  to  the  devices  authorized  for  WLAN. 

g.  DOIMs  and  IAMs  will  control,  monitor,  and  protect  wireless  access  gateways  with  firewalls  and  IDS  devices. 

h.  Certify  all  wireless  devices  procured  with  Army  funds  for  spectrum  supportability  through  the  Military  Communi¬ 
cations  Electronics  Board  (MCEB)  per  DODD  5000.1  and  AR  5-12.  Submit  spectrum  supportability  requests  to 
NETCOM/9th  SC  (A),  ATTN:  NETC-EST-V,  Suite  1204,  2461  Eisenhower  Avenue,  Alexandria,  VA  22331-0200. 

/'.  DOIMs  and  IAMs  will  terminate  wireless  access  points  at  a  boundary  device  in  the  DMZ,  not  in  the  internal 
enclave. 

j.  Certify  that  WLAN  frequencies  meet  any  host  nation  or  Government  restrictions. 

4-31.  Employee-owned  information  systems 

a.  Prohibit  the  use  of  employee-owned  information  systems  (EOlSs)  for  classified  or  sensitive  information. 

b.  The  use  of  an  EOIS  for  ad-hoc  (one-time  or  infrequent)  processing  of  unclassified  information  is  restricted  and 
only  permitted  with  IAM,  DAA,  or  commander  approval.  Requirements  for  use  and  approval  are  included  in  AR  25-1. 

c.  If  approved  for  ad  hoc  use,  EOISs  processing  official  data  will  comply  with  all  security  provisions  of  this 
regulation.  Computer  owners  will  implement  1A  countermeasures  required  by  this  regulation,  specifically  AV  and  1A 
software  and  updates,  or  be  prohibited  from  such  activity.  All  processed  data  will  be  removed  from  the  EOIS  and 
personnel  will  sign  compliance  statements  that  the  data  was  removed. 

d.  Include  security  requirements  and  authorized  software  availability  for  the  use  and  safeguarding  of  EOISs  in 
security  training. 

e.  Contractor-owned  and  operated  ISs  will  meet  all  security  requirements  for  Govemment-owned  hardware  and 
software  when  operating  on  the  AEI,  managing,  storing,  or  processing  Army  or  DOD  data  or  information,  or 
conducting  official  communications  or  business. 

f.  Scan  all  data  processed  from  an  EOIS  before  inclusion  or  introduction  into  the  network. 

g.  Prohibit  all  remote  access  for  remote  management  from  any  EOISs. 

4-32.  Miscellaneous  processing  equipment 

There  is  a  variety  of  non-COMSEC-approved  miscellaneous  process  equipment  (MPE)  involved  with  classified  or 
sensitive  information.  This  includes  copiers,  facsimile  machines,  peripherals,  electronic  typewriters,  word  processing 
systems,  and  others.  Activities  must  identify  those  features,  parts,  or  functions  used  to  process  information  that  may 
retain  all  or  part  of  the  information.  Security  procedures  must  prescribe  the  appropriate  safeguards,  in  accordance  with 
AR  380-5,  chapter  7  to  prevent  unauthorized  access  to  either  the  information  or  equipment. 

a.  Digital  copiers,  printers,  scanners,  faxes,  and  similar  IS  devices  employ  embedded  hard-drives  or  other  media  that 
may  retain  residual  classified  or  sensitive  information.  Include  these  devices  as  part  of  the  C&A  process. 

b.  Destroy  replaced  equipment  parts  per  classification  level  when  removed. 

c.  Cleared  and  technically  qualified  personnel  will  inspect  equipment  before  equipment  removal  from  protected 
areas. 

d.  Peripheral  devices  (for  example,  printers,  copiers)  are  subject  to  1AVM  compliance  and  accreditation. 

e.  Peripheral  devices  (for  example,  printers,  copiers)  are  subject  to  sanitizing,  purging,  or  disposition  restrictions  as 
published. 
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Chapter  5 

Certification  and  Accreditation 

5-1.  Certification  and  accreditation  overview 

a.  This  chapter  outlines  the  policies  governing  the  Information  Assurance  Certification  and  Accreditation  (IA  C&A) 
of  ISs  which  includes  networks  in  accordance  with  DODD  8500.1,  DODI  8500.2,  P.L.  100-235,  OMB  Circular  A-130, 

DODD  5220.22,  DOD  5220.22M,  DOD  5220.22-M-SUP,  and  44  USC  3541  as  it  pertains  to  C&A.  The  goal  of  I A 
C&A  is  to  understand  the  vulnerabilities,  determine  the  risk  introduced  through  operations  or  connections  of  the 
system,  and  provide  appropriate  information  for  the  DAA  to  consider  the  IA  risk  in  contemplating  an  approval  to 
operate  decision.  This  section  streamlines  some  of  the  process  to  enable  those  risk  determinations  to  be  made 
consistently,  economically  and  timely. 

b.  C&A  policy  is  found  in  this  regulation  and  is  supported  by  the  guidelines  located  in  the  C&A  BBP — 

(1)  The  IA  C&A  Process  BBP. 

(2)  The  IA  C&A  DAA  BBP. 

(3)  The  I A  C&A  Certification  Authority  (CA)  BBP. 

(4)  The  IA  C&A  Agents  of  the  Certification  Authority  (ACA)  BBP. 

c.  All  ISs  will  be  certified  and  accredited  in  accordance  with  the  Interim  DIACAP  documenting  compliance,  at  a 
minimum,  with  this  regulation,  and  DODI  8500.2  IA  controls  associated  with  the  specific  MAC  and  confidentiality 
level.  C&A  will  be  performed  according  to  the  type  accreditation  process  or  by  the  site-based  accreditation  process. 

The  IS  being  accredited  may  be  considered  as  a  single  system,  system  of  systems,  enclave  or  network. 

d.  Army  DODIIS  systems  will  be  certified  and  accredited  by  the  DCS,  G-2  for  PL  1,  2  and  3  in  accordance  with 
DCID  6/3. 

e.  Information  systems  currently  operating  under  an  ATO  will  not  need  to  redo  the  accreditation  under  this  new 
process  until  such  time  as  the  approval  expires  or  is  otherwise  revoked.  This  could  be  the  result  of  3  years  expiration, 
annual  revalidation  results,  caveat  in  the  ATO,  major  change  in  the  system,  its  environment  or  operations,  or  as 
required  by  the  DITSCAP. 

/  Tactical  IS  must  address  their  tactical  and  garrison  configuration  and  environment  (if  they  intend  to  operate  in 
garrison  on  a  live  network  or  with  live  data)  during  the  C&A  process. 

g.  Tactical  IS  that  are  subject  to  deployment  must  have  a  “fly  away”  package  of  IA  information  to  provide  to  their 
network  service  provider  as  required.  Refer  to  the  C&A  BBP  for  details  on  the  composition  of  the  fly  away  package. 

h.  A  Government  SO  will  be  identified  for  each  IS  used  by  or  in  support  of  the  Army.  The  SO  is  responsible  for 
ensuring  the  security  of  the  IS  as  long  as  it  remains  in  Army  inventory,  or  until  transferred  (temporarily  or  permanent¬ 
ly)  to  another  Government  person  or  organization  and  such  transfer  is  appropriately  documented  and  provided  as  an 

artifact  to  the  accreditation  package.  i 

i.  If  the  SO  can  not  be  identified,  then  the  IS  should  be  deemed  unnecessary  and  removed  from  Army  inventory. 

j.  When  selecting  software,  priority  should  be  given  to  software  with  vendor  integrity  statements  (VISs)  that  verify 
that  vendor  software  will  not  affect  the  integrity  of  operating  systems  when  utilized. 

k.  When  selecting  software  priority  should  be  given  to  corporations  that  develop,  manufacture  and  manage  software 
that  are  U.S.  owned,  controlled  or  influenced. 


/.  Foreign-Ownership,  Control,  or  Influence  (FOCI)  will  be  taken  into  account  prior  to  software  development, 
integration,  or  purchase  and  identified  in  the  IS  C&A  package. 

m.  Published  or  established  NETCOM/9TH  SC  (A)  CCB  and  Networthiness  certification  requirements  will  be 
incorporated  during  the  C&A  process. 

5-2.  Certification 

a.  Authority  and  responsibility  for  certification  is  vested  in  the  Army  Federal  Information  Security  Management  Act 
(FISMA)  Senior  IA  Officer  (SIAO).  The  Director  OlA&C,  NETC-EST-I,  was  appointed  as  the  F1SMA  S1AO  by  the 
DA  CIO/G-6  and  will  be  the  single  Army  CA.  The  Army  CA  is  the  single  authority  for  CA  recommendations  to  all 
Army  DAAs  with  the  exception  of  IS  completing  C&A  under  the  DODI1SS  Program. 

b.  The  Army  CA  will  maintain  a  list  of  qualified  Government  organizations  and  labs,  as  trusted  Agents  of  the  CA 
(ACA),  to  perform  the  certification  activities.  The  reimbursable  ACAs  are  available  to  provide  SOs  with  certification 
capabilities.  While  the  lead  ACA  will  report  the  results  of  the  certification  activities  to  the  CA,  only  the  CA  will  make 
the  operational  IA  risk  recommendation  to  the  DAA  in  support  of  an  approval  to  operate  decision. 

c.  Organizations  can  request  appointment  as  an  ACA  by  following  the  process  in  the  IA  C&A  ACA  BBP. 

d.  It  is  the  responsibility  of  the  SO  to  plan  and  budget  for  IS  certification  and  accreditation  efforts. 

e.  It  is  the  responsibility  of  the  SO  to  select  from  the  approved  ACA  list  an  ACA  organization  that  best  supports  the 
program  requirements,  such  as  those  of  cost  and  schedule. 

/  IA  certification  considers — 
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(1)  The  IA  posture  of  the  IS  itself,  that  is  the  overall  reliability  and  viability  of  the  IS  plus  acceptability  of  the 
implementation  and  performance  of  1A  mechanisms  or  safeguards  that  are  inherent  in  the  system  itself. 

(2)  How  the  system  behaves  in  the  larger  information  environment  (for  example,  does  it  introduce  vulnerabilities  to 
the  environment,  does  it  correctly  and  securely  interact  with  the  information  environment  management  and  control 
services). 

g.  The  ACA  certification  determination  is  based  on  actual  results  of  the  validation  and  the  risk  introduced  by  non- 
compliance  with  stated  requirements. 

h.  Certification  represents  proof  of  compliance  with  this  regulation  and  the  DODI  8500.2  IA  controls  for  the 
appropriate  MAC  level  and  the  Confidentiality  level,  at  a  minimum.  Non-compliance  will  require  the  creation  of  a 
POA&M  to  bring  the  IS  into  compliance. 

/'.  DCS,  G-2  is  the  Service  Certifying  Organization  for  the  Army  DODIIS  Program  up  to  PL  4. 

5-3.  Tailoring 

a.  The  time  and  labor  expended  in  the  C&A  process  must  be  proportional  to  the  system  mission  assurance  category 
(MAC)  level,  confidentiality  level,  and  number  of  users. 

b.  The  activities  defined  in  the  DIACAP  are  mandatory.  However,  implementation  of  these  activities  and  their 
output  should  be  tailored  as  appropriate  and  integrated  with  other  acquisition  activities  and  documentation  where 
applicable. 

c.  Compliance  with  Information  Assurance  controls  is  not  a  tailorable  factor.  All  applicable  IA  controls  must  be  met 
either  by  incorporation,  inheritance,  waiver  or  exception. 

5-4.  Accreditation 

a.  Accreditation  is  the  official  management  authorization  to  operate  an  IS  or  network  and  is  based,  in  part,  on  the 
formal  certification  of  the  degree  to  which  a  system  meets  a  prescribed  set  of  security  requirements.  The  C&A 
statement  affixes  security  responsibility  associated  with  operational  IA  risk  with  the  accrediting  authority. 

b.  Accreditation  must  address  each  operational  environment  of  the  IS  for  both  fixed  and  deployable  configurations. 
For  example,  an  IS  may  operate  at  one  confidentiality  level  in  a  standalone  mode  and  connect  to  a  global  network  at 
another  confidentiality  level.  The  C&A  must  clearly  establish  procedures  for  transition  between  the  two  environments. 
Multiple  operational  environments  can  result  in  multiple  accreditations  for  a  single  IS  if  different  DAAs  are  involved. 
However,  in  the  concept  of  the  operations  document,  a  single  accreditation  that  addresses  all  variations  is  sufficient. 
Refer  to  the  C&A  BBPs  for  further  guidance  and  procedures  on  IS  accreditation. 

c.  Site-based  accreditations  are  appropriate  for  a  single  unit  or  for  a  LAN  with  appropriately  accredited  ISs  generally 
performing  similar  functions  with  similar  equipment. 

d.  Type  accreditations  are  appropriate  for  IS  fielded  to  multiple  users  under  the  PEO/direct-reporting  PM  structure 
to  multiple  locations.  Additionally,  type  accreditations  are  appropriate  whenever  a  single  office  or  agency  is  responsible 
for  fielding  an  IS  to  multiple  Army  users  at  multiple  locations.  Type  accreditations  must  indicate  whether  they  are  a 
generic  accreditation  of  centrally  fielded  IS  or  an  operational  accreditation  of  IS  that  are  procured  or  obtained  locally, 
and  whether  a  single  identifiable  system  or  group  of  similar  systems  is  covered. 

5-5.  Recertification  and  re-accreditation 

a.  Information  systems  will  be  recertified  and  reaccredited  once  every  three  years.  Each  of  the  IA  Controls  assigned 
to  the  information  system  must  be  revalidated.  The  results  of  validation  tests  of  IA  Controls  conducted  during  an 
annual  review  may  be  used  in  the  recertification  and  re-accreditation  of  the  information  system  if  performed  within  one 
year. 

b.  Not  less  than  annually,  the  SO  will  provide  a  written  statement  or  digitally  signed  e-mail  to  the  CA  that  either 
confirms  the  effectiveness  of  assigned  IA  Controls  and  their  implementation,  or  recommends  changes  or  improvements 
to  the  implementation  of  assigned  IA  controls,  the  assignment  of  additional  IA  controls  or  changes  or  improvements  to 
the  design  of  the  IS  itself. 

c.  This  annual  revalidation  may  be  performed  as  a  self  assessment.  However,  a  third  party  independent  evaluator 
must  perform  the  validation  every  3™  year,  at  a  minimum. 

d.  The  CA  will  review  the  written  statement  and  make  a  recommendation  to  the  DAA. 

e.  The  DAA  will  evaluate  the  recommendation,  mission,  and  information  environment  indications,  and  determine  a 
course  of  action. 

/  The  DAA  may  use  any  favorable  annual  review  to  re-authorize  processing  under  the  current  authorization 
termination  date  (ATD)  or  adjust  the  ATD  for  an  additional  year. 

g.  The  DAA  may  use  any  unfavorable  annual  review  to  downgrade  the  accreditation  status  to: 

(1)  An  IATO  and  reset  ATD  to  180  days.  The  SO  will  prepare  a  POA&M  executable  within  the  180  days. 

(2)  Denial  of  authorization  to  operate  (DATO).  Operation  of  the  IS  will  be  halted  until  the  IS  is  brought  into 
compliance. 
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h.  The  results  of  the  annual  reviews  will  be  reported  in  the  Array  Portfolio  Management  Solution,  as  appropriate, 
and  become  part  of  the  IS  accreditation  package  until  the  IS  is  decommissioned. 

5-6.  Accreditation  documentation 

a.  The  SO  will  forward  to  the  receiving  ACOM/ASCC,  installation,  and/or  activity  DAA  and  applicable  NETCOM 
RCIO,  a  copy  of  the  accreditation  decision,  supporting  C&A  documentation  and  Certificate  of  Networthiness  (CON). 
The  DAA  or  representative,  together  with  the  command  functional  user  representative  and  NETCOM  RCIO,  will 
review  the  C&A  package  and  either  accept  the  accreditation  decision  as  is  or  implement  additional  measures  or 
procedures  to  meet  the  needs  of  their  unique  operating  environment.  Such  additional  measures  will  be  appended  to  the 
system  accreditation  and  provided  to  the  CA  for  consideration  in  the  operational  IA  risk  recommendation  to  the  gaining 
DAA  for  approval  in  that  unique  environment. 

b.  SCI  systems  will  not  obtain  a  CON,  but  will  follow  the  DCID  6/3  requirements. 

c.  There  are  four  potential  DAA  accreditation  decisions:  ATO,  IATO,  IATT,  and  DATO. 

d  The  ATO  decision  which  will  specify  an  authorization  termination  date  (ATD)  that  is  within  three  years  of  the 
authorization  date. 

e.  The  IATO  decision  which  will  specify  an  ATD  that  is  within  180  days  of  authorization,  limited  to  no  more  than 
one  IATO  extension.  IATO  requests  must  be  accompanied  by  a  POA&M,  with  corrective  actions  funded  and 
achievable  within  the  authorization  period. 

/  The  IATT  decision  which  will  specify  an  ATD  the  is  consistent  with  the  completion  of  the  test.  The  IATT 
establishes  the  agreed  upon  test  duration  and  any  special  considerations  or  constraints. 

g.  The  DATO  decision  will  specify  and  effective  date.  The  DATO  is  effective  until  the  DAA  believes  the  IA 
posture  of  the  IS  has  been  raised  to  an  acceptable  level. 

5-7.  Connection  approval  process 

a.  Army  organizations  requiring  network  access  to  the  Defense  Information  Systems  Network  (DISN)  will  prepare  a 
CAP  package  requesting  connection  approval.  Army  organizations  requiring  network  access  to  the  DISN  will  prepare  a 
CAP  for  submission  to  the  proper  DISA  IA  office.  The  DISA  IA  office  will  review  the  CAP  package  and  approve/ 
disapprove  customer  for  access  to  the  DISN.  Approval  will  be  granted  with  an  interim  authority  to  connect  (1ATC) 
authority  to  connect  (ATC)  letter. 

b.  Interconnection  of  two  or  more  enclaves  requires  DAA  approval  through  MOUs  or  Memoranda  of  Agreement 
(MOAs)  between  all  DAAs.  MOUs/MOAs  will  address  interconnection  requirements  as  outlined  in  DODI  8500.2. 

c.  All  IS  must  obtain  CON  as  approval  to  connect  through  the  Networthiness  process  prior  to  becoming  operational 
within  the  Army. 

d.  An  enclave’s  MAC  level  and  security  domain  remain  fixed  during  interconnection  to  other  enclaves;  they  do  not 
inflate  to  match  the  MAC  level  or  security  domain  of  an  interconnecting  enclave.  Enclaves  with  higher  MAC  levels 
connecting  to  enclaves  with  lower  MAC  levels  are  responsible  for  ensuring  that  the  connection  does  not  degrade  the 
availability  or  integrity  of  the  higher  enclave. 

e.  Interconnections  that  include  or  impact  the  DISN  or  JWICS  are  subject  to  DISN  or  JWICS  connection  manage¬ 
ment  requirements  and  processes. 

/  Interconnections  that  cross  security  domains  are  subject  to  DOD  policy  and  procedures  for  controlled  interfaces 
and  cross  domain  solutions  (CDS)  as  appropriate. 

g.  Adjunct  networks  that  rely  on  the  installation  network  for  NIPRNET  and  SIPRNET  services  will  provide  their 
C&A  documentation  to  the  installation  DAA  for  approval  prior  to  connecting  to  the  ICAN. 

h.  Interconnections  that  include  or  impact  the  JWICS  are  subject  to  D1A  connection  approval  process  management 
requirements. 

5-6.  Designated  approving  authority 

a.  The  DAA  is  vested  with  the  authority  to  formally  assume  responsibility  for  operating  an  IS  at  an  acceptable  level 
of  risk.  The  DAA  must  weigh  the  operational  need  for  the  systems  capabilities,  the  protection  of  personal  privacy,  the 
protection  of  the  information  being  processed,  and  the  protection  of  the  information  environment,  which  includes 
protection  of  the  other  missions  and  business  functions  reliant  on  the  shared  information  environment. 

b.  The  DAA  may  rely  on  the  Army  CA  operational  IA  risk  recommendation  and  may  authorize  operation  through 
the  approval  of  an  ATO,  IATO,  IATT,  or  deny  operations  through  a  DATO.  Absent  an  accreditation  decision  an  IS  is 
considered  unaccredited  and  will  not  be  operated  within  or  in  support  of  the  Army. 

c.  A  DAA  may  downgrade  or  revoke  their  initial  Accreditation  Decision  any  time  risk  conditions  or  concerns  so 
warrant. 

d.  A  DAA  will  be  identified  for  each  information  system  operating  within  or  on  behalf  of  the  DA,  to  include 
outsourced  business  processes  supported  by  private  sector  IS  and  outsourced  IT  (for  example.  Government  owned. 
Contractor  Operated  (GOCO)  and  Contractor  Owned,  Contractor  Operated  (COCO). 

e.  DAA  responsibility  must  reside  with  the  organization  that  maintains  funding,  management  and  operational  control 
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over  the  IS  while  in  development,  and  once  deployed,  as  applicable.  In  the  instance  of  type  accreditation  these  may  be 
different  organizations  but  will  have  documented  MOUs  when  the  transfer  is  made. 

f.  The  CIO/G-6  will  remain  the  DAA  for  Army  information  systems,  with  the  exception  of  Army  SCI  systems. 

g.  The  CIO/G-6  will  appoint  in  writing,  or  digitally  signed  e-mail,  all  Army  DAAs  with  the  exceptions  noted 
below.  Existing  appointments  or  delegations  will  become  invalid  within  90  days  of  the  approval  date  of  this  AR  25-2 
C&A  update.  Requests  for  appointment  must  be  submitted  to  the  OIA&C  for  processing  during  these  three  months. 
DAA  responsibility  can  be  assigned  to  a  position  in  the  organization;  however,  appointments  will  always  be  to  named 
individuals.  DAA  appointment  will  be  for  specific  named  systems  or  networks.  The  OIA&C,  NETC-EST-IC,  will 
coordinate  the  DAA  appointments  on  behalf  of  the  CIO/G-6. 

h.  All  DAAs  will  be  at  the  General  Officer,  Senior  Executive  Service  or  equivalent  level  regardless  of  the 
confidentiality  level  at  which  the  IS  operates.  This  appointment  will  not  be  further  delegated  or  appointed  downward 
except  as  noted  below  or  as  approved  by  the  CIO/G-6. 

i.  All  DAAs  will  be  U.S.  citizens,  DOD  employees,  hold  a  U.S.  Government  security  clearance  and  formal  access 
approvals  commensurate  with  the  level  of  information  processed  by  the  IS  under  their  jurisdiction,  or  a  Secret 
clearance,  which  ever  is  higher. 

j.  All  DAAs  will  have  a  level  of  authority  commensurate  with  accepting  in  writing  the  risk  of  operating  DA  IS 
under  their  purview. 

k.  All  DAAs  will  complete  IA  training  consistent  with  the  Army  Training  BBP.  A  copy  of  the  completion  training 
certificate  must  be  provided  to  CIO/G-6  through  the  OIA&C  prior  to  assuming  DAA  duties. 

/.  DAA  appointment  must  be  requested  of  the  CIO/G-6.  Requests  for  appointments  should  be  consistent  with  the 
following  examples  when  compliant  with  5— 8/r  through  k,  above: 

(1)  The  Commanding  General  (CG),  NETCOM  for  the  Army  enterprise  with  the  authority  to  appoint  the  Director 
NETCOM  ESTA  for  the  Army  enterprise. 

(2)  PEOs  or  direct-reporting  PM  for  acquisition  systems  developed  under  their  charter  except  as  noted  below. 

(3)  Principal  Army  Staff  officers  for  Army  Staff  unique  systems  that  remain  under  that  office’s  control  and 
management  after  deployment,  except  as  noted  below. 

(4)  CAR  for  the  USAR,  with  the  authority  to  appoint  the  USAR  COS  for  the  ARNET. 

(5)  Chief,  ARNG  for  the  ARNG  and  GuardNet  XXI,  with  the  authority  to  appoint  ARNG  state  DOIM/J6/CIO  for 
individual  states,  as  appropriate. 

(6)  The  AASA  as  the  ACOM/ASCC  commander  for  Pentagon  ITS,  to  include  IS  connected  to  the  Pentagon  CIT 
enterprise,  associated  swing  space,  and  alternate  COOP  sites  through  the  national  capital  region  (NCR)  with  the 
authority  to  appoint  those  GO,  SES  or  equivalent  within  AASA  purview  that  are  the  SOs  or  have  life  cycle 
responsibility  for  the  IS,  as  appropriate. 

(7)  The  MEDCOM  Commander,  with  the  authority  to  appoint  the  MEDCOM  RMC/MSC  Commanders  for  medical, 
dental  and  veterinary  activities  and  treatment  facilities,  as  appropriate. 

(8)  The  USACE  CIO  for  the  USACE  WAN  and  corporate  IS,  with  the  authority  to  appoint  the  USACE  Division 
Commanders  for  USACE  IS,  as  applicable. 

(9)  The  Commander  USAREUR,  with  the  authority  to  appoint  DAAs  for  tenant  and  MSC  commanders  within 
USAREUR,  as  appropriate. 

m.  The  following  C&A  DAA  positions  remain  in  place: 

(1)  The  CIO/G-6  for  Army  Special  Access  Programs. 

(2)  The  CIO/G-6  for  classified  systems  developed  by  DA  staff  agencies. 

(3)  The  DCS,  G-2  for  DODI1S  processing  SCI  at  Protection  Level  1,  2,  and  3. 

(4)  The  Director,  National  Security  Agency  for  cryptographic  solutions  used  to  protect  classified  information. 

(5)  The  Director,  Joint  Staff  is  the  DAA  for  systems  that  process  SIOP-ESI  data. 

(6)  Commander,  INSCOM  for  signals  intelligence  (S1GINT)  systems  within  the  Army. 

n.  Questions  concerning  DAA  requests  or  appointments  should  be  directed  to  the  OIA&C  at  iacora@us.army.mil. 

o.  DAAs  may  assign  members  of  their  staff  to  act  as  their  representative  during  the  C&A  process.  However, 
signature  authority  will  remain  with  the  individual  appointed  by  the  CIO/G-6.  Following  the  chain  of  command  the 
DAA  may  authorize  a  member  of  his/her  staff  to  “sign  for”  him/her,  but  the  signature  block  and  responsibility  will 
remain  with  the  CIO/G-6  appointed  individual.  A  copy  of  the  authorization  memo  will  be  submitted  to  the  CIO/G-6 
through  iacora@us.army.mil. 

5-9.  Lead  agent  of  the  certification  authority 

a.  Lead  ACA  and  ACA  organizations  will  be  designated  by  the  CA  through  the  process  documented  in  the  1A  C&A 
ACA  BBP. 

b.  The  lead  ACA  will  be,  at  a  minimum,  a  Government  employee,  a  U.S.  citizen,  at  least  a  LTC,  GS-14,  or 
equivalent,  and  be  appropriately  cleared  (Secret  at  a  minimum).  Refer  to  the  ACA  BBP  for  further  details. 

c.  The  lead  ACA  will  be  responsible  for  preparation,  planning  and  conducting  the  certification  testing. 
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d.  The  reimbursable  ACA  will  perform  the  following,  at  a  minimum: 

(1)  Prepare  IA  Certification  Event  Test  Plans. 

(2)  Conduct  IA  Certification  Test  Events  and  STE  as  appropriate. 

(3)  Prepare  IA  Certification  Test  Event  Reports. 

(4)  Prepare  IA  Scorecards. 

(5)  Prepare  IA  Risk  Assessments  from  the  IA  Certification  Test  Event  findings,  at  a  minimum. 

(6)  Provide  the  IA  certification  results  and  any  supporting  documentation  to  the  Army  CA  for  consideration  in  the 

IA  operational  risk  recommendation. 

e.  ACA  organizations  may  perform  other  functions  as  negotiated  by  the  SO. 

/  The  ACA  concept  does  not  apply  to  DODIIS  and  SIGINT  systems.  Certification  of  these  systems  will  be 
conducted  in  accordance  with  DCID  6/3. 

5-10.  System  owner 

a.  A  Government  SO  will  be  identified  for  each  IS  used  by  or  in  support  of  the  Army.  The  SO  is  responsible  for 
ensuring  the  security  of  the  IS  as  long  as  it  remains  in  Army  inventory,  or  until  transferred  (temporarily  or  permanent¬ 
ly)  to  another  Government  person,  organization  or  agency,  and  such  transfer  is  appropriately  documented  and  provided 
as  an  artifact  to  the  accreditation  package. 

b.  The  SO  is  responsible  for  the  certification  and  accreditation  of  the  IS  and  will  provide  the  C&A  package  to  the 
Army  CA  in  sufficient  time  for  review  and  determination  of  operational  IA  risk  recommendation  in  support  of  DAA 
approval  to  operate  decision  prior  to  operational  use  or  testing  on  a  live  network  or  with  live  Army  data. 

c.  The  SO  will  ensure  that  the  C&A  package  and  the  SSAA  are  provided  to  the  ACOM/ASCC,  RCIO  IAPM,  and 
NETCOM  prior  to  10T&E  on/or  before  deployment  of  the  system. 

d.  If  the  SO  can  not  be  identified,  then  the  IS  should  be  deemed  unnecessary  and  removed  from  the  Army  inventory. 

e.  It  is  the  responsibility  of  the  SO  to  plan  and  budget  for  IS  certification  efforts. 

/  It  is  the  responsibility  of  the  SO  to  select  the  ACA  that  best  supports  his  requirements,  such  as  those  of  cost  and 
schedule. 

g.  Not  less  than  annually  all  SO  will  provide  a  written  statement  or  digitally  signed  e-mail  to  the  Army  CA  that 
either  confirms  the  effectiveness  of  assigned  IA  Controls  and  their  implementation,  recommends  changes  or  improve¬ 
ments  to  the  implementation  of  assigned  IA  controls,  or  assigns  additional  IA  controls,  changes  or  improvements  to  the 
design  of  the  IS  itself. 

h.  The  system  owner  will  forward  to  the  receiving  ACOM/ASCC,  installation  and  activity  DAA  a  copy  of  the 
accreditation  decision,  supporting  C&A  documentation  and  CON. 


Chapter  6 

Communications  Security 

6-1.  Communications  security  overview 

This  chapter  provides  DA  policy  for  the  acquisition,  implementation,  and  life  cycle  management  of  cryptographic 
systems,  products,  and  services  used  to  protect  sensitive  and  classified  national  security  information,  systems,  and 
networks.  All  tactical  ISs  are  considered  critical  to  the  direct  fulfillment  of  military  or  intelligence  missions,  and 
therefore  are  regarded  as  national  security  systems.  With  the  exception  of  those  systems  approved  by  NSA  and 
endorsed  by  HQDA  CIO/G-6,  at  no  time  will  U.S.  classified  national  security  information  be  protected  by  foreign 
cryptographic  systems  or  products,  or  by  a  NIST/NIAP  common  criteria  testing  laboratory  evaluated  product.  Excep¬ 
tions  will  be  re-approved  on  an  annual  basis.  Use  of  any  unapproved  product  to  protect  classified  national  security 
information  will  be  considered  as  a  reportable  communications  security  incident  under  AR  380-40,  paragraph  7-3 b 

a.  Protection  of  classified  information  and  systems  whether  national  security  systems  (NSS)  or  non-NSS.  Only  NSA- 
approved  cryptographic  systems  will  be  used  to  protect  classified  national  security  information  and  national  security 
systems. 

(1)  Classified  national  security  information  will  be  protected  in  transmission  by  NSA  approved  cryptography. 

(2)  Tactical  information  systems  will  be  protected  by  NSA  approved  cryptography. 

(3)  Requirements  for  NSA-approved  cryptographic  systems  will  be  identified  and  validated  in  the  A1AP  and 
managed  by  the  Army  OIA&C. 

(4)  NSA  cryptographic  systems  will  be  centrally  acquired  and  managed  by  the  CSLA. 

(5)  Only  keying  material  produced  by  NSA  or  generated  by  NSA-approved  key  generators  will  be  used  to  key 
cryptographic  systems  that  protect  classified  national  security  information. 

(6)  All  cryptographic  systems  employed  in  the  tactical  force  structure  that  protect  classified  national  security 
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information  must  be  Army  Electronic  Key  Management  System/Key  Management  Infrastructure  (EKMS/KMI)  compli¬ 
ant.  Each  approved  cryptographic  system  will  have  a  NSA  approved  key  management  plan. 

b.  Protection  of  unclassified  and  sensitive  information  and  systems.  NIST/NIAP  approved  cryptographic  systems 
will  only  be  used  to  protect  Unclassified  or  Sensitive  information.  NIST/NIAP  approved  cryptographic  systems  or 
foreign  cryptographic  systems  to  be  employed  in  the  tactical  force  structure  will  be  approved  on  a  case-by-case  basis 
by  the  HQDA  CIO/G-6.  Company  and  Below  Units  may  use  NIST/NIAP  approved  cryptographic  systems  for 
protecting  Non-Mission/Non-Operational  unclassified  or  sensitive  information.  Cryptographic  systems  or  products 
intended  for  the  protection  of  unclassified  or  sensitive  information  or  systems  will — 

(1)  Be  evaluated  by  a  NIAP/CCEVS  approved  Common  Criteria  Test  Lab  (CCTL)  against  a  U.S.  Government 
Protection  Profile  for  medium  robustness  environment. 

(2)  Be  validated  under  the  NIST  Cryptographic  Module  Validation  Program  (CMVP)  that,  at  a  minimum  meet,  level 
2  security  requirements  of  the  Federal  Information  Processing  Standard  140-2  (FIPS  140-2). 

(3)  Products  that  exceed  minimum  FIPS  140-2  security  requirements  and  common  criteria  evaluation  assurance 
levels  will  be  given  preference  when  considered  for  procurement. 

(4)  NIST-approved  cryptographic  systems  intended  to  protect  unclassified  sensitive  information  will  be  identified  in 
the  A1AP  and  managed  by  the  Army  OIA&C.  Funding  for  these  systems  will  be  the  responsibility  of  the  organization 
or  activity  identifying  the  requirement. 

(5)  All  NIST/NIAP-approved  cryptographic  systems  will  be  centrally  acquired  and  managed  through  CSLA. 

(6)  Each  NIST/NIAP-approved  cryptographic  system  will  have  a  key  management  plan  that  describes  in  detail  all 
activities  involved  in  the  handling  of  cryptographic  keying  material  for  the  system,  including  other  related  security 
parameters  (such  as  IDs  and  passwords).  The  plan  will  describe  accountability  over  the  keying  material  over  the  entire 
life  cycle  of  the  system’s  keys  from  generation,  storage,  distribution,  and  entry  into  the  system  through  use,  deletion, 
and  final  destruction. 

c.  Data  Encryption  Standard  (DES).  All  implementations  of  FIPS  46-2  DES  are  prohibited  within  the  Army. 

d.  Advanced  Encryption  Standard  (AES).  The  implementation  of  AES  in  products  intended  to  protect  classified 
national  security  information  and  systems  must  be  reviewed  and  certified  by  NSA,  and  approved  by  HQDA  CIO/G-6 
prior  to  their  acquisition  through  CSLA. 

e.  Public  key  cryptography.  Systems  that  employ  public  key  (asymmetric  key)  technology  to  protect  unclassified 
sensitive  or  classified  national  security  information  and  systems  will  be  approved  by  the  CIO/G-6.  Asymmetric  keys 
will  be  obtained  through  authorized  DOD  or  Army  certificate  authorities  operating  under  current  DOD-approved 
Certificate  Practice  Statements. 

f.  Approved  Cryptographic  Systems  and  Algorithms.  The  CSLA  will  maintain  a  list  of  approved  cryptographic 
systems  and  algorithms  for  use  in  the  Army.  All  cryptographic  products  must  be  procured  through  CSLA  to  be  valid 
for  use  on  an  Army  system.  CSLA  managed  Army  Approved  Product  List  (APL)  is  available  by  calling  the  CSLA 
customer  support  help  desk  at  1-800-662-2123  or  from  the  CSLA  Web  page  (when  established). 

6-2.  Protected  distribution  systems 

a.  A  protected  distribution  system  (PDS)  will  be  used  only  if  cost-effective  and  sufficiently  controlled  to  prevent 
covert  penetration  and  interception. 

b.  Any  IS  that  includes  a  PDS  to  transmit  data  will  not  be  operationally  accredited  until  the  PDS  has  been  approved. 

6-3.  Approval  of  protected  distribution  systems 

a.  PDSs  must  be  constructed  per  criteria  contained  in  NSTISSI  No.  7003  and  supplemented  with  IA  procedures  in 
this  regulation. 

b.  Authority  to  approve  a  PDS  for  the  clear  text  transmission  of  classified  information  within  fixed  plant  and 
garrison  installations  is  delegated  as  follows: 

(1)  Principal  HQDA  officials  for  activities  under  their  staff  supervision,  direction,  or  control. 

(2)  Garrison  commanders  for  their  organic  activities. 

c.  Requests  for  approval  of  a  PDS  to  transmit  TS  information  must  include  an  evaluation  by  the  appropriate  support 
element.  Approval  authorities  may  request  technical  assistance  from  INSCOM,  902nd  MI  Group,  Fort  Meade,  MD 
20755,  in  applying  security  criteria  and  processing  the  approval  action  for  other  PDSs. 

d.  Commanders  of  battalion  and  higher  echelons  may  approve  circuits  for  clear  text  electrical  transmission  of 
SECRET  and  CONFIDENTIAL  information  in  tactical  environments.  Under  combat  conditions,  commanders  may 
delegate  this  authority  to  the  company  level.  Tactical  PDSs  will  not  be  approved  for  clear  text  transmission  of  TS 
information. 

e.  Once  a  PDS  has  been  approved,  no  changes  in  installation,  additions,  or  use  may  be  made  until  the  approval 
authority  has  granted  approval  for  such  changes. 

/  Requests  to  approve  a  PDS  will  be  submitted  through  channels  to  the  installation  IAM  and  DAA.  Requests  will  be 
classified  at  least  CONFIDENTIAL  and  will  contain  the  following  information: 
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(1)  Full  identification  and  location  of  the  requesting  organization. 

(2)  A  statement  of  the  classification  of  information  to  be  transmitted  on  the  PDS. 

(3)  A  copy  of  the  building  floor  plan  (or  a  diagram  of  the  field  area  as  appropriate)  designating  the  following: 

(a)  Proposed  cable  route  and  location  of  subscriber  sets,  distribution  frames,  junction  boxes,  and  any  other  compo¬ 
nents  associated  with  the  circuit. 

(b)  Other  wiring  along  the  PDS  route. 

(4)  Description  of  the  cable  installation  (for  example,  24  pairs  of  shielded  cable  in  rigid  steel  conduit,  6  pairs  of 
shielded  cable  in  floor,  or  fiber  optic  cable).  Indicate  the  cable  length. 

(5)  Description  and  nomenclature  of  terminal  and  subscriber  equipment  to  be  used. 

(6)  Clearance  of  individuals  having  access  to  the  circuit. 

(7)  Type  of  guards  (for  example,  U.S.  military,  U.S.  civilian,  foreign  civilian)  and  their  security  clearance  or  access 
authorization  status. 

(8)  Description  of  access  control  and  surveillance  of  uncleared  personnel  who  may  be  allowed  entry  into  the  area 
housing  any  part  of  the  PDS. 

(9)  Identification  of  the  power  source  to  be  used  for  the  PDS  and  a  statement  of  the  distance  to  the  nearest  point 
where  undetected  tampering  would  be  possible. 

(10)  A  justification  for  using  the  proposed  PDS. 

(11)  A  statement  concerning  any  deviations  from  the  established  PDS  criteria  and  an  evaluation  of  their  security 
implications. 

(12)  For  PDSs  to  be  used  with  TS  information,  a  copy  of  the  security  evaluation. 

(13)  The  request  and  approval  must  become  part  of  the  C&A  package. 

6-4.  Radio  systems 

a.  Protect  all  voice  or  data  military  radio  systems  and  COTS-implemented  cellular  or  wireless  communications 
devices  and  services  to  the  level  of  sensitivity  of  the  information. 

b.  Use  electronic,  auto-manual,  or  manual  crypto-systems  to  provide  the  needed  security  for  existing  radio  systems 
that  do  not  have  embedded  or  electronic  crypto-systems.  However,  all  future  procurements  must  comply  with  para¬ 
graph  6-1,  above. 

c.  Prohibit  the  use  of  commercial  non-encrypted  radio  systems  in  support  of  command  and  control  functions. 

d.  Radios  used  for  public  safety  communications  with  civil  agencies  or  to  communicate  on  civil  aviation  channels 
are  excluded  from  the  requirements  of  paragraphs  a  and  b,  above.  This  exclusion  does  not  apply  to  communications 
dealing  with  aviation  combat  operations. 

6-5.  Telecommunication  devices 

a.  All  personnel  are  prohibited  from  using  Government-owned  receiving,  transmitting,  recording,  and  ampli¬ 
fication  telecommunications  equipment  in  restricted  areas;  such  as  classified  work  areas,  mission  essential 
vulnerable  areas  (MEVAs),  or  staging  areas  before  deployment  unless  authorized  in  writing  by  the  commander. 
The  DAA  remains  the  accreditation  authority  for  telecommunication  devices  in  restricted  areas. 

b.  All  personnel  will  use  NSA  or  CIO/G-6  approved  secure  telephones  to  discuss  classified  information 
telephonically. 

c.  All  personnel  are  prohibited  from  possessing  or  using  any  privately  owned  PED  (for  example,  cell  phones, 
TWED)  within  the  confines  of  classified,  restricted,  or  open  storage  areas  designated  by  the  commander. 


Chapter  7 
Risk  Management 

7-1.  Risk  management  process 

a.  Absolute  confidence  in  the  information  accessed  or  available  in  the  Army  enterprise  is  unachievable;  as  such,  the 
Army  and  DOD  will  approach  increasing  that  level  of  trust  through  the  implementation  of  a  risk  management  process. 
With  technological  advances  and  capabilities,  training,  and  IA-focused  processes  to  reduce  identifiable  threats,  the  level 
of  trust  of  information  and  ISs  is  significantly  increased.  Establish  a  risk  management  process  containing  the  following 
phases  as  a  minimum  for  all  ISs.  The  process  outlined  in  this  chapter  is  based,  in  principle,  on  the  risk  management 
doctrine  as  defined  by  FM  5-19 — 

(1)  Identify  threats  such  as  those  posed  by  default  designs  or  configurations,  architecture  deficiencies,  insider  access, 
and  foreign  or  nation-state  interests,  ownership  and  capabilities. 

(2)  Assess  threats  to  determine  risks. 

(a)  What  information  is  accessible? 


54 

ManningB_00016289 


AR  25-2  •  24  October  2007 


© 


(b)  What  information  will  be  stored  electronically  and  secured,  for  example  self  generated,  prototype,  research  and 
development,  electronic  forms  and  documents,  calendars,  operational  logs? 

(c)  What  will  be  the  stored  format  of  the  information  and  the  naming  or  identification  mechanism? 

(d)  Who  has  authorization  to  access  and  share  the  information? 

(e)  What  is  the  potential  adverse  effect  of  loss,  access,  or  manipulation  of  the  data? 

(f)  What  are  the  OPSEC  issues  of  data  availability? 

(g)  What  are  the  data  owner’s  requirements  and  length  of  required  storage  or  access? 

(h)  What  legacy  operating  systems  or  applications  are  required  for  stored  information?  What  hardware  is  required  to 
access  and  read  the  storage  media? 

(i)  What  are  the  backup  and  disaster  recovery  plans? 

(j)  What  is  the  plan  to  migrate  legacy  data  to  current  application  capabilities? 

(3)  Develop  controls  and  make  risk  management  decisions.  How  do  you  protect  the  information  access,  and 
infrastructure? 

(4)  Implement  controls,  countermeasures,  or  solutions.  Choose  the  coned  1A  tools,  controls  and  countermeasures  to 
defend  against  adversarial  attacks  on  IS  and  networks. 

(5)  Implement  a  capability  to  monitor  for  compliance  and  success. 

(6)  Supervise,  evaluate,  review,  and  refine  as  necessary. 

b.  Commanders,  Directors,  combat  developers,  and  materiel  developers  will  integrate  the  risk  management  process 
in  the  planning,  coordination,  and  development  of  ISs. 

c.  Reevaluate  and  reissue  any  risk  analyses  and  mitigations  plans  if  there  is  a  successful  compromise  of  an  IS  or 


device. 


d.  Telecommunications  systems  that  do  not  include  the  features  normally  associated  with  an  IS  and  that  handle 
classified  or  sensitive  information  will  be  implemented  and  operated  in  conformance  with  the  risk  management  process. 

7-2.  Information  operations  condition 

The  IAPM  or  the  command’s  senior  IA  person  is  responsible  for  coordinating  an  INFOCON  plan.  The  INFOCON  is  a 
Commander’s  Alert  System  that  establishes  a  uniform  DOD  and  Army  process  for  posturing  and  defending  against 
malicious  activity  targeting  DOD  ISs  and  networks.  The  countermeasures  at  each  level  will  be  available  when 
published  or  as  directed  by  the  combatant  command  when  the  command  is  an  ACOM/ASCC.  If  there  is  a  conflict 
between  Army  and  combatant  command  directed  measures,  those  of  the  combatant  command  take  precedence.  Typical 
countermeasures  include  preventative  actions  and  actions  taken  during  an  attack  as  well  as  damage  control  and 
mitigation  actions. 


AR  25-2  •  24  October  2007 


55 


ManningB_0001 6290 


© 


0 


Appendix  A 
References 

Section  I 

Required  Publications 
AR  25-1 

Army  Knowledge  Management  and  Information  Technology  Management.  (Cited  in  paras  l-5g(l3),  2-1  j,  2-8/,  3-3 j, 

3- 3/,  4-5 a,  4-20 c,  4-20g,  4-29o,  4-306.) 

AR  380-5 

Department  of  the  Army  Information  Security  Program.  (Cited  in  paras  4-5a(7),  4-5s(10)(h)3,  4-1  la,  4-1  \d,  4— 16a, 

4- 166,  4- 17c,  4-32.) 

AR  380-53 

Information  Systems  Security  Monitoring.  (Cited  in  paras  4— 5m(6),  4-29a.) 

DA  Pam  25-1-1 

Information  Technology  Support  and  Services.  (Cited  in  para  4-5/.) 

Section  II 

Related  Publications 

A  related  publication  is  merely  a  source  of  additional  information.  The  user  does  not  have  to  read  it  to  understand  this 
regulation. 

AR  5-12 

Army  Management  of  the  Electromagnetic  Spectrum 
AR  15-6 

Procedures  for  Investigating  Officers  and  Boards  of  Officers 
AR  25-55 

The  Department  of  the  Army  Freedom  of  Information  Act  Program 
AR  36-2 

Audit  Services  in  the  Department  of  the  Army 

AR  70-1 

Army  Acquisition  Policy 

AR  190-45 

Law  Enforcement  Reporting 

AR  190-51 

Security  of  Unclassified  Army  Property  (Sensitive  and  Nonsensitive) 

AR  195-2 

Criminal  Investigation  Activities 

AR  215-1 

Military  Morale,  Welfare,  and  Recreation  Programs  and  Nonappropriated  Fund  Instrumentalities 
AR  340-21 

The  Army  Privacy  Program 
AR  380-10 

Foreign  Disclosure  and  Contacts  with  Foreign  Representatives 
AR  380-40 

Policy  for  Safeguarding  and  Controlling  Communications  Security  (COMSEC)  Material 


56 

ManningB_0001 6291 


AR  25-2  •  24  October  2007 


o 


J 


AR  380-49 

Industrial  Security  Program 
AR  380-67 

The  Department  of  the  Army  Personnel  Security  Program 
AR  381-10 

U.S.  Army  Intelligence  Activities 

AR  381-11 

Intelligence  Support  to  Capability  Development 
AR  381-14 

Technical  Counterintelligence  (TCI) 

AR  381-20 

The  Army  Counterintelligence  Program 

AR  525-13 
Antiterrorism 

AR  530-1 

Operations  Security  (OPSEC) 

AR  608-1 

Army  Community  Service  Center 
DA  Pam  25-1-2 

Information  Technology  Contingency  Planning. 

Chairman  of  the  Joint  Chiefs  of  Staff  Instruction  5221.01B 

Delegation  of  Authority  to  Commanders  of  Combatant  Commands  to  Disclose  Classified  Military  Information  to 
Foreign  Governments  and  International  Organizations.  (Available  at  http://www.dtic.mil/cjcs_directives/.) 

Chairman  of  the  Joint  Chiefs  of  Staff  Manual  6510.01 

Defense-in-Depth:  Information  Assurance  (IA)  and  Computer  Network  Defense  (CND).  (Available  at  http:// 
www.dtic.mil/cjcs_directives/.) 

Common  Criteria  Evaluation  and  Validation  Scheme  (CCEVS) 

(http://niap.bahialab.com/cc-scheme/) 

Committee  on  National  Security  Systems  (CNSS)  Instruction  4012 

Operation  of  the  Defense  Acquisition  System.  (Available  at  http://www.cnss.gov/instructions.html.) 

DOD  5200.2-R 

Personnel  Security  Program.  (Available  at  http://www.dtic.mil/whs/directives.) 

DOD  5220.22-M 

National  Industrial  Security  Program  Operating  Manual.  (Available  at  http://www.dtic.mil/whs/directives.) 

DOD  5220.22-M-SUP 

National  Industrial  Security  Program  Operating  Manual  Supplement.  (Available  at  http://www.dtic.mil/whs/directives.) 

DOD  5400.7-R 

DOD  Freedom  of  Information  Act  Program.  (Available  at  http://www.dtic.mil/whs/directives.) 

DOD  5500.7-R 

Joint  Ethics  Regulation  (JER).  (Available  at  http://www.dtic.mil/whs/directives.) 


ManningB_00016292 


AR  25-2  •  24  October  2007 


o 


J 


DOD  8510.1-M 

Department  of  Defense  Information  Technology  Security  Certification  and  Accreditation  Process  (DITSCAP) 
Application  Manual.  (Available  at  http://www.dtic.mil/whs/directives.) 

DOD  Directive  5000.1 

The  Defense  Acquisition  System.  (Available  at  http://www.dtic.mil/whs/directives.) 

DOD  Directive  5220.6 

Defense  Industrial  Personnel  Security  Clearance  Review  Program.  (Available  at  http://www.dtic.mil/whs/directives.) 
DOD  Directive  5220.22 

DOD  Industrial  Security  Program.  (Available  at  http://www.dtic.mil/whs/directives.) 

DOD  Directive  5230.9 

Clearance  of  DOD  Information  for  Public  Release.  (Available  at  http://www.dtic.mil/whs/directives.) 

DOD  Directive  5230.11 

Disclosure  of  Classified  Military  Information  to  Foreign  Governments  and  International  Organizations.  (Available  at 
http://www.dtic.mil/whs/directives.) 

DOD  Directive  5230.25 

Withholding  of  Unclassified  Technical  Data  From  Public  Disclosure.  (Available  at  http://www.dtic.mil/whs/directives.) 

DOD  Directive  8100.2 

Use  of  Commercial  Wireless  Devices,  Services,  and  Technologies  in  the  Department  of  Defense  (DOD)  Global 
Information  Grid  (GIG).  (Available  at  http://www.dtic.mil/whs/directives.) 

DOD  Directive  8500.01  E 

Information  Assurance.  (Available  at  http://www.dtic.mil/whs/directives.) 

DOD  Directive  8570.01 

Information  Assurance  (IA)  Training,  Certification,  and  Workforce  Management.  (Available  at  http://www.dtic.mil/ 
whs/directives.) 

DOD  Instruction  3020.41 

Contractor  Personnel  Authorized  to  Accompany  the  U.S.  Armed  Forces.  (Available  at  http://www.dtic.mil/whs/ 
directives.) 

DOD  Instruction  5000.2 

Operation  of  the  Defense  Acquisition  System.  (Available  at  http://www.dtic.mil/whs/directives.) 

DOD  Instruction  5200.40 

DOD  Information  Technology  Security  Certification  and  Accreditation  Process  (DITSCAP).  (Available  at  http:// 
www.dtic.mil/whs/directives.) 

DOD  Instruction  8100.3 

Department  of  Defense  (DOD)  Voice  Networks.  (Available  at  http://www.dtic.mil/whs/directives.) 

DOD  Instruction  8110.1 

Multinational  Information  Sharing  Networks  Implementation.  (Available  at  http://www.dtic.mil/whs/directives.) 
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policy/dcid/default.htm.) 
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DOD  Memo,  July  06,  2006,  Subject:  Interim  Department  of  Defense  (DOD)  Information  Assurance  (IA) 
Certification  and  Accreditation  (C&A)  Process  Guidance 

(Available  at  https://diacap.iaportal.navy.mil.) 

Executive  Order  12356 

National  Security  Information 

Federal  Information  Security  Management  Act  of  2002 

Section  3541  of  title  44,  United  States  Code.  (Available  at  http://csrc.nist.gov/policies/HR2458-fmal.pdf.) 

Federal  Information  Processing  Standards  Publication  46-2 

(http://www.itl.nist.gov/) 

Federal  Information  Processing  Standards  Publication  140-2 

Security  Requirements  for  Cryptographic  Modules.  (Available  at  http://www.itl.nist.gov/.) 

Field  Manual  3-13 

Information  Operations:  Doctrine,  Tactics,  Techniques,  and  Procedures 

Field  Manual  5-19  (100-14) 

Composite  Risk  Management 

Joint  DODIIS 

Cryptologic  SCI  Information  Systems  Security  Standards.  (Available  at  http://www.nmic.navy.smil.mil/onihome-s/ 
security/sso_navy/policyNpubs/jdcsisss/jdcissi-r2.html.) 

JP  1-02 

Joint  Publication,  Department  of  Defense  Dictionary  of  Military  and  Associated  Terms 
JTA-A 

Joint  Technical  Architecture-Army.  (Available  via  AKO  at  https://www.us.army.mil.) 

NSA/CSS  Manual  130-1 

Operational  Information  Systems  and  Networks  Security  Policy 

NSA/CSS  Manual  130-2 

Media  Declassification  and  Destruction  Manual 

NIST  Special  Publication  800-64  REV.l 

Security  Considerations  in  the  Information  Systems  Development  Life  Cycle  (http://csrc.nist.gov/publications/nistpubs/ 
800-64/NIST-SP80Q-64.pdf) 

NSTISSI  No,  4012 

National  Training  Standard  for  Designated  Approving  Authority  (DAA).  (Available  at  http://www.cnss.gov/ 
instructions.html.) 
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NSTISSI  No.  4015 

National  Training  Standard  for  System  Certifiers.  (Available  at  http://www.cnss.gov/instructions.html.) 

NSTISSI  No.  7003 

Protective  Distribution  Systems.  (Available  at  http://www.cnss.gov/instructions.html.) 

NSTISSP  No.  11 

National  Information  Assurance  Acquisition  Policy.  (Available  at  http://www.cnss.gov/instmctions.html.) 

Office  of  Management  and  Budget  Circular  A-130 
Management  of  Federal  Information  Resources 

Public  Law  100-235 

Computer  Security  Act  of  1987 

Public  Law  107-314 

Bob  Stump  National  Defense  Authorization  Act  for  Fiscal  Year  2003 

Rule  for  Courts-Martial  303 

Preliminary  inquiry 

UCMJ 

Uniform  Code  of  Military  Justice 

5  USC  552a 

The  Privacy  Act  of  1974 

22  USC  2551 

Congressional  statement  of  purpose 

22  USC  2751,  et  seq. 

Arms  Export  Control  Act 

44  USC  3541 

Information  security;  Purposes 

RCS  CS1M-62 
MDEP  M54X  Report 

Section  III 
Prescribed  Forms 

This  entry  has  no  prescribed  forms. 

Section  IV 
Referenced  Forms 

DA  Forms  are  available  on  the  Army  Publishing  Directorate  Web  site  (www.apd.army.mil):  DD  Forms  are  available 
from  the  OSD  Web  site  (http://www.dtic.mil/whs/directives/infomgt/forms/formsprogram.htm).  SFs  and  OFs  are  availa¬ 
ble  from  the  GSA  Web  site  (http://www.gsa.gov). 

DA  Form  11-2-R 

Management  Control  Evaluation  Certification  Statement 

DA  Form  2028 

Recommended  Changes  to  Publications  and  Blank  Forms 
DD  Form  254 

DOD  Contract  Security  Classification  Specification 
SF  85P 

Questionaire  For  Public  Trust  Positions 
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SF  86 

Questionaire  For  National  Security  Positions 
SF  328 

Certificate  Pertaining  to  Foreign  Interests 


Appendix  B 

Sample  Acceptable  Use  Policy 
B-1.  Purpose 

This  appendix  provides  a  sample  AUP  that  may  be  used  by  organizations  to  obtain  explicit  acknowledgements  from 
individuals  on  their  responsibilities  and  limitations  in  using  ISs. 

B-2.  Explanation  of  conventions  in  sample  acceptable  use  policy 

Figure  B-1,  below,  illustrates  a  representative  AUP.  In  this  figure,  text  appearing  in  italicized  font  should  be  replaced 
with  the  appropriate  information  pertinent  to  the  specific  AUP  being  executed.  Army  organizations  may  tailor  the 
information  in  the  sample  AUP  to  meet  their  specific  needs,  as  appropriate. 


61 


ManningB_00016296 


AR  25-2  •  24  October  2007 


o 


J 


Acceptable  Use  Policy 

1.  Understanding.  I  understand  that  I  have  the  primary  responsibility  to  safeguard  the 
information  contained  in  classified  network  name  (CNN)  and lor  unclassified  network  name  (UNN) 
from  unauthorized  or  inadvertent  modification,  disclosure,  destruction,  denial  of  service,  and  use. 

2  Access.  Access  to  this/these  network(s)  is  for  official  use  and  authorized  purposes  and  as  set 
forth  in  DoD  5500.7-R,  ’Joint  Ethics  Regulation'  or  as  further  limited  by  this  policy. 

3.  Revocability.  Access  to  Army  resources  is  a  revocable  pnvilege  and  is  subject  to  content 
monitoring  and  security  testing. 

4.  Classified  information  processing.  CNN  is  the  primary  classified  IS  for  ( insert  your 
organization).  CNN  is  a  US-only  system  and  approved  to  process  (insert  classification)  collateral 
information  as  well  as:  (insert  additional  caveats  or  handling  instructions).  CNN  is  not  authorized 
to  process  [insert  classification  or  additional  caveats  or  special  handling  instructions). 

a.  CNN  provides  communication  to  externa/  DoD  (or  specify  other  appropriate  U  S. 
Government)  organizations  using  the  SIPRNET.  Primarily  this  is  done  via  electronic  mail  and 
internet  networking  protocols  such  as  web,  ftp,  telnet  (insert  others  as  appropriate). 

b.  The  CNN  is  authorized  for  SECRET  or  lower-level  processing  in  accordance  with 
accreditation  package  number,  identification,  etc. 

c.  The  classification  boundary  between  CNN  and  UNN  requires  vigilance  and  attention  by  all 
users.  CNN  is  also  a  US-only  system  and  not  accredited  for  transmission  of  NA  TO  material. 

d.  The  ultimate  responsibiity  for  ensuring  the  protection  of  information  lies  with  the  user.  The 
release  of  TOP  SECRET  information  through  the  CNN  is  a  security  violation  and  will  be 
investigated  and  handled  as  a  security  violation  or  as  a  criminal  offense. 

5.  Unclassified  Information  Processing.  UNN  is  the  primary  unclassified  automated 
administration  tool  for  the  ( Insert  your  organization).  UNN  is  a  US-only  system. 

a.  UNN  provides  unclassified  communication  to  external  DoD  and  other  United  States 
Government  organizations.  Primarily  this  Is  done  via  electronic  mail  and  internet  networking 
protocols  such  as  web,  ftp,  telnet  (insert  others  as  appropriate). 

b.  UNN  Is  approved  to  process  UNCLASSIFIED,  SENSITIVE  Information  in  accordance  with 
(insert  local  regulation  dealing  with  automated  information  system  security  management 
program). 

c.  The  UNN  and  the  Internet,  as  viewed  by  the  (insert  your  organization),  are  synonymous.  E- 
mail  and  attachments  are  vulnerable  to  interception  as  they  traverse  the  NIPRNET  and  Internet. 


Figure  B-1.  Acceptable  use  policy 
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6.  Minimum  security  rules  and  requirements.  As  a  CNN  and/or  UNN  system  user,  the 
following  minimum  security  rules  and  requirements  apply: 

a.  Personnel  are  not  permitted  access  to  CNN  and  UNN  unless  in  complete  compliance  with  the 
(insert  your  organization)  personnel  security  requirement  for  operating  in  a  TOP  SECRET 
system-high  environment. 

b.  I  have  completed  the  user  security  awareness-training  module.  I  will  participate  in  all  training 
programs  as  required  (inclusive  of  threat  identification,  physical  security,  acceptable  use  policies, 
malicious  content  and  logic  identification,  and  non-standard  threats  such  as  social  engineering) 
before  receiving  system  access. 

c.  I  will  generate,  store,  and  protect  passwords  or  pass-phrases.  Passwords  will  consist  of  at 
least  10  characters  with  2  each  of  uppercase  and  lowercase  letters,  numbers,  and  special 
characters.  I  am  the  only  authorized  user  of  this  account.  (I  will  not  use  user  ID,  common  names, 
birthdays,  phone  numbers,  military  acronyms,  call  signs,  or  dictionary  words  as  passwords  or 
pass-phrases.) 

d.  I  will  use  only  authorized  hardware  and  software.  I  will  not  install  or  use  any  personally  owned 
hardware,  software,  shareware,  or  public  domain  software. 

e.  I  will  use  virus-checking  procedures  before  uploading  or  accessing  information  from  any 
system,  diskette,  attachment,  or  compact  disk. 

f.  I  will  not  attempt  to  access  or  process  data  exceeding  the  authorized  IS  classification  level. 

g.  I  will  not  alter,  change,  configure,  or  use  operating  systems  or  programs,  except  as  specifically 
authorized. 

h.  I  will  not  introduce  executable  code  (such  as,  but  not  limited  to,  .exe,  .com,  vbs,  or  .bat  files) 
without  authorization,  nor  will  I  write  malicious  code. 

i.  I  will  safeguard  and  mark  with  the  appropriate  classification  level  all  information  created, 
copied,  stored,  or  disseminated  from  the  IS  and  will  not  disseminate  it  to  anyone  without  a 
specific  need  to  know. 

j.  I  will  not  utilize  Army-  or  DoD-provided  ISs  for  commercial  financial  gain  or  illegal  activities. 

k.  Maintenance  will  be  performed  by  the  System  Administrator  (SA)  only. 

l.  I  will  use  screen  locks  and  log  off  the  workstation  when  departing  the  area. 

m.  I  will  immediately  report  any  suspicious  output,  files,  shortcuts,  or  system  problems  to  the 
(insert  your  organization)  SA  and/or  IASO  and  cease  all  activities  on  the  system. 

n.  I  will  address  any  questions  regarding  policy,  responsibilities,  and  duties  to  (insert  your 
organization)  SA  and/or  IASO. 


Figure  B-1.  Acceptable  use  policy — Continued 
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o.  I  understand  that  each  IS  is  the  property  of  the  Army  and  is  provided  to  me  for  official  and 
authorized  uses.  I  further  understand  that  each  IS  is  subject  to  monitoring  for  security  purposes 
and  to  ensure  that  use  is  authorized.  I  understand  that  I  do  not  have  a  recognized  expectation  of 
privacy  in  official  data  on  the  IS  and  may  have  only  a  limited  expectation  of  privacy  in  personal 
data  on  the  IS.  I  realize  that  I  should  not  store  data  on  the  IS  that  I  do  not  want  others  to  see. 

p.  I  understand  that  monitoring  of  (CNN)  (UNN)  will  be  conducted  for  various  purposes  and 
information  captured  during  monitoring  may  be  used  for  administrative  or  disciplinary  actions  or 
for  criminal  prosecution.  I  understand  that  the  following  activities  define  unacceptable  uses  of  an 
Army  IS: 


•  to  show  what  is  not  acceptable  use 

•  to  show  what  is  acceptable  during  duty/non-duty  hours 

•  to  show  what  is  deemed  proprietary  or  not  releasable  (key  word  or  data  identification) 

•  to  show  what  is  deemed  unethical  (e.g.,  spam,  profanity,  sexual  content,  gaming) 

•  to  show  unauthorized  sites  (e.g.,  pornography,  streaming  video,  E-Bay) 

•  to  show  unauthorized  services  (e.g.,  peer-to-peer,  distributed  computing) 

•  to  define  proper  email  use  and  restrictions  (e.g.,  mass  mailing,  hoaxes,  autoforwarding) 

•  to  explain  expected  results  of  policy  violations  (1  *,  2nd,  3rt,  etc) 

(Note:  Activity  in  any  criteria  can  lead  to  criminal  offenses.) 

q.  The  authority  for  soliciting  a  social  security  number  (SSN)  is  EO  939.  The  information  below 
will  be  used  to  identify  you  and  may  be  disclosed  to  law  enforcement  authorities  for  investigating 
or  prosecuting  violations.  Disclosure  of  information  is  voluntary;  however,  failure  to  disclose 
information  could  result  in  denial  of  access  to  ( insert  your  organization)  information  systems. 

7.  Acknowledgement  I  have  read  the  above  requirements  regarding  use  of  (insert  your 
organization)  access  systems,  I  understand  my  responsibilities  regarding  these  systems  and  the 
information  contained  in  them. 

insert  name  here 

Directorate/Division/Branch 

insert  name  here 

Last  Name,  First,  Ml 

insert  name  here 

Signature 


insert  date  here 

Date 

insert  Rank/Grade  and  SSN  here 

Rank/Grade/  SSN 

insert  phone  number  here 

Phone  Number 


Figure  B-1.  Acceptable  use  policy — Continued 
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B-3.  Standard  mandatory  notice  and  consent  for  all  DOD  Information  system  user  agreements 

Figure  B-2,  below,  is  information  from  the  standard  mandatory  notice  and  consent  for  all  DOD  information  system 
user  agreements. 
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While  Army  organizations  may  customize  their  AUP  to  their  environment,  the  following  text  is  mandated 
by  DoD  and  will  be  included,  amended  or  issued  as  a  standalone  document  as  part  of  the  AUP  process: 

By  signing  this  document,  you  acknowledge  and  consent  that  when  you  access  Department  of  Defense 
(DoD)  information  systems: 

•  You  are  accessing  a  U.S.  Government  (USG)  information  system  (IS)  (which  includes  any  device 
attached  to  this  information  system)  that  is  provided  for  U.S.  Government  authorized  use  only. 

•  You  consent  to  the  following  conditions: 

o  The  U.S.  Government  routinely  intercepts  and  monitors  communications  on  this  information  system 
for  purposes  including,  but  not  limited  to,  penetration  testing,  communications  security  (COMSEC] 
monitoring,  network  operations  and  defense,  personnel  misconduct  (PM),  law  enforcement  (LE),  and 
counterintelligence  (Cl)  investigations. 

o  At  any  time,  the  U.S.  Government  may  inspect  and  seize  data  stored  on  this  information  system. 

o  Communications  using,  or  data  stored  on,  this  information  system  are  not  private,  are  subject  to 
routine  monitoring,  interception,  and  search,  and  may  be  disclosed  or  used  for  any  U.S.  Government- 
authorized  purpose. 

o  This  information  system  includes  security  measures  (e.g.,  authentication  and  access  controls)  to 
protect  U.S.  Government  interests--not  for  your  personal  benefit  or  privacy. 

o  Notwithstanding  the  above,  using  an  information  system  does  not  constitute  consent  to  personnel 
misconduct,  law  enforcement,  or  counterintelligence  investigative  searching  or  monitoring  of  the 
content  of  privileged  communications  or  data  (including  work  product)  that  are  related  to  personal 
representation  or  services  by  attorneys,  psychotherapists,  or  clergy,  and  their  assistants.  Under  these 
circumstances,  such  communications  and  work  product  are  private  and  confidential,  as  further 
explained  below: 

-  Nothing  in  this  User  Agreement  shall  be  interpreted  to  limit  the  user's  consent  to,  or  in  any 
other  way  restrict  or  affect,  any  U.S.  Government  actions  for  purposes  of  network  administration, 
operation,  protection,  or  defense,  or  for  communications  security.  This  includes  all  communications  and 
data  on  an  information  system,  regardless  of  any  applicable  privilege  or  confidentiality. 

-  Whether  any  particular  communication  or  data  qualifies  for  the  protection  of  a  privilege,  or  is 
covered  by  a  duty  of  confidentiality,  is  determined  in  accordance  with  established  legal  standards  and 
DoD  policy.  Users  are  strongly  encouraged  to  seek  personal  legal  counsel  on  such  matters  prior  to  using 
an  information  system  if  the  user  intends  to  rely  on  the  protections  of  a  privilege  or  confidentiality. 

-  Users  should  take  reasonable  steps  to  identify  such  communications  or  data  that  the  user 
asserts  are  protected  by  any  such  privilege  or  confidentiality.  However,  the  user's  identification  or 
assertion  of  a  privilege  or  confidentiality  is  not  sufficient  to  create  such  protection  where  none  exists 
under  established  legal  standards  and  DoD  policy. 


Figure  B-2.  Information  system  user  agreements 
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-  A  user's  failure  to  take  reasonable  steps  to  identify  such  communications  or  data  as  privileged 
or  confidential  does  not  waive  the  privilege  or  confidentiality  if  such  protections  otherwise  exist  under 
established  legal  standards  and  DoD  policy.  However,  in  such  cases  the  U.S.  Government  is  authorized  to 
take  reasonable  actions  to  identify  such  communication  or  data  as  being  subject  to  a  privilege  or 
confidentiality,  and  such  actions  do  not  negate  any  applicable  privilege  or  confidentiality. 

-  These  conditions  preserve  the  confidentiality  of  the  communication  or  data,  and  the  legal 
protections  regarding  the  use  and  disclosure  of  privileged  information,  and  thus  such  communications 
and  data  are  private  and  confidential.  Further,  the  U.S.  Government  shall  take  all  reasonable  measures 
to  protect  the  content  of  captured/seized  privileged  communications  and  data  to  ensure  they  are 
appropriately  protected. 

o  In  cases  when  the  user  has  consented  to  content  searching  or  monitoring  of  communications 
or  data  for  personnel  misconduct,  law  enforcement,  or  counterintelligence  investigative  searching,  (i.e., 
for  all  communications  and  data  other  than  privileged  communications  or  data  that  are  related  to 
personal  representation  or  services  by  attorneys,  psychotherapists,  or  clergy,  and  their  assistants),  the 
U.S.  Government  may,  solely  at  its  discretion  and  in  accordance  with  DoD  policy,  elect  to  apply  a 
privilege  or  other  restriction  on  the  U.S.  Government's  otherwise-authorized  use  or  disclosure  of  such 
information. 

o  All  of  the  above  conditions  apply  regardless  of  whether  the  access  or  use  of  an  information 
system  includes  the  display  of  a  Notice  and  Consent  Banner  ("banner").  When  a  banner  is  used,  the 
banner  functions  to  remind  the  user  of  the  conditions  that  are  set  forth  in  this  User  Agreement, 
regardless  of  whether  the  banner  describes  these  conditions  in  full  detail  or  provides  a  summary  of  such 
conditions,  and  regardless  of  whether  the  banner  expressly  references  this  User  Agreement. 


Figure  B-2.  Information  system  user  agreements  -Continued 


Appendix  C 

Management  Control  Evaluation  Checklist 
C-1.  Function 

The  function  covered  by  this  checklist  is  the  administration  of  the  Army  Information  Assurance  Program. 

C-2.  Purpose 

The  purpose  of  this  checklist  is  to  assist  assessable  unit  manager  and  management  control  administrators  in  evaluating 
the  key  management  controls  outlined  below.  It  is  not  intended  to  cover  all  controls. 

C-3.  Instructions 

Answers  must  be  based  on  the  actual  testing  of  key  management  controls  (for  example,  document  analysis,  direct 
observation,  sampling,  simulation,  or  others).  Answers  that  indicate  deficiencies  must  be  explained  and  corrective 
action  indicated  in  supporting  documentation.  These  key  management  controls  must  be  formally  evaluated  at  least  once 
every  5  years.  Certification  that  this  evaluation  has  been  conducted  must  be  accomplished  on  DA  Form  11-2-R 
(Management  Control  Evaluation  Certification  Statement).  DA  Form  1 1-2-R  is  available  on  the  APD  Web  site  (http:// 
www.apd.army.mil). 
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C-4.  Test  questions 

a.  Have  appropriate  security  personnel  (for  example,  IAPMs,  IAMs,  or  IASOs)  been  appointed? 

b.  Have  risk  analyses  and  vulnerability  assessments  been  performed  for  systems  that  process,  access,  transmit,  or 
store  Army  information? 

c.  Are  the  appropriate  leadership  and  management  personnel  aware  of  the  results  of  risk  analyses  and  vulnerability 
assessments? 

d.  Have  vulnerability  assessments  been  performed  as  per  standard  Army  methodologies  as  detailed  in  this  regulation 
to  ensure  consistency? 

e.  Have  countermeasures  been  identified  based  on  the  results  of  risk  analyses  and  vulnerability  assessments? 

/  Are  countermeasures  in  place  commensurate  with  risks  and  vulnerabilities? 

g.  Is  there  a  written  security  plan  to  document  implementation  of  countermeasures? 

h.  Has  leadership  and  management  formally  accepted  the  risk  to  process  the  information  involved  (or  more  precisely 
stated:  “Are  the  systems  accredited?” 

/.  Are  countermeasures  routinely  tested  (for  example,  user  IDs,  passwords,  audit  trails)? 

j.  Are  Command  and  subordinate  organizations  implementing  and  reporting  compliance  to  USSTRATCOM, 
JTF-GNO,  DOD  and  Army  directed  solutions  or  actions  such  as  Command  Tasking  Orders  (CTOs),  IAVM,  or 
INFOCON  measures? 

k.  Is  Information  Assurance  training  being  performed? 

l.  Are  ACOM,  ASCC,  DRU,  installations,  or  activities  identifying  their  IA  requirements  under  the  appropriate 
MDEP? 

m.  Are  security  incidents  and  violations  (for  example,  viruses,  unauthorized  access,  or  attempts)  reported? 

n.  Have  plans  been  developed  to  ensure  continued  operation  in  the  event  of  major  disruption  (for  example,  fire, 
natural  disaster,  bomb  threat,  or  civil  disorder)? 

o.  Has  a  configuration  control  board  approved  each  network? 

p.  Is  there  an  appropriate  security  official  as  a  member  of  each  board? 

q.  Is  there  a  current  SSAA  on  file  for  each  IS? 

C-5.  Supersession 

This  checklist  replaces  the  checklist  previously  published  in  AR  25-2,  dated  14  November  2003. 

C-6.  Comments 

Help  to  make  this  a  better  tool  for  evaluating  management  controls.  Submit  comments  to:  Chief  Information  Officer/ 
G-6  (CIO/G-6),  107  Army  Pentagon,  Washington,  DC  20310-0107. 
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Glossary 

Section  I 
Abbreviations 

A&VTR 

Asset  and  Vulnerability  Tracking  Resource 
AASA 

Administrative  Assistant  to  the  Secretary  of  the  Army 
ACA 

Agent  of  the  Army  Certification  Authority  (C&A) 

ACERT 

Army  Computer  Emergency  Response  Team 
ACL 

access  control  list 
ACOM 

Army  Command 

ADP  (replaced  by  IT) 
automated  data  processing 

AEI 

Army  Enterprise  Infostructure 
AES 

Advanced  Encryption  Standard 
A-GNOSC 

Army  -  Global  Network  Operations  and  Security  Center 

AIAP 

Army  Information  Assurance  Program  (replacement  for  A1SSP,  Army  Information  Systems  Security  Program) 
AISSP 

Army  Information  Systems  Security  Program  (replaced  by  AIAP) 

AKO 

Army  Knowledge  Online 
AMC 

Army  Materiel  Command 

AP 

approval  products  list 

AR 

Army  Regulation 

ARL 

Army  Research  Laboratory 
ARNET 

Army  Reserve  Network 
ASA(ALT) 

Assistant  Secretary  of  the  Army  for  Acquisition,  Logistics,  and  Technology 
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ASC 

Army  Signal  Command 
ASCC 

Army  Service  Component  Command 

ATD 

Authorization  Termination  Date 
ATS 

Automated  Tactical  System 
ATO 

approval  to  operate 
AUP 

Acceptable  Use  Policy 
AV 

Anti  Virus 
AW  RAC 

Army  Web  Risk  Assessment  Cell 
AWS 

Automated  Weapons  System 

BBP 

Best  Business  Practices 

BPA 

black  purchase  agreement 

C4IM 

Command,  Control,  Communications,  and  Computers  for  Information  Management 
CA 

Certification  Authority 
C&A 

certification  and  accreditation 
CAC 

common  access  card 
CAR 

Certification  Authority  Representative 

CBT  IA 

computer  based  training 
CCB 

Configuration  Control  Board 
CCI 

controlled  cryptographic  item 
CCTL 

common  task  criteria  lab 
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cciu 

Computer  Crime  Investigative  Unit 
CERT 

computer  emergency  response  team 

Cl 

counterintelligence 

CID 

Criminal  Investigation  Command 
CIO/G-6 

Chief  Information  Officer,  G-6 
CISO 

chief  information  security  officer 
CISS 

Center  for  Information  Systems  Security 
CISSP 

Center  for  Information  Systems  Security  Professional 

CIT 

common  information  technology 
CM 

configuration  management 
CMB 

Configuration  Management  Board 
CMVP 

Cryptographic  Module  Validation  Program 
CND 

computer  network  defense 
CNDC 

Computer  Network  Defense  Course 
CNDSP 

Computer  Network  Defense  Service  Provider 
CNO 

computer  network  operations 
CNSS 

Committee  on  National  Security  Systems 
COCO 

contractor  owned,  contractor  operated 
COMSEC 

communications  security 
CON 

Certificate  of  Networthiness 
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CONUS 

Continental  United  States 
COR 

contracting  officer’s  representative 
COS 

Chief  of  Staff 
COTS 

commercial  off-the-shelf 

COOP 

Continuity  of  Operations  Plan 

CPP 

Cooperative  Program  Personnel 
CRD 

compliance  reporting  database 
CSLA 

Communications  Security  Logistics  Agency 
CT1S 

Common  Tier  1  System 
CT&E 

certification,  test  and  evaluation 
CVT 

Compliance  Verification  Team 

DAA 

designated  approving  authority 

DAPE 

Deny  all,  permit  by  exception 

DATO 

Denial  of  Authorization  to  Operate 
DCE 

distributed  computing  environment 

DDL 

Delegation  of  Disclosure  Authority  Letter 
DES 

data  encryption  standard 
DIACAP 

Department  of  Defense  Information  Assurance  Certification  and  Accreditation  Process 

DiD 

Defense  in  Depth 
DISA/CISS 

Defense  Information  Systems  Agency/Center  for  Information  System  Security 
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DITYVAP 

Do-it- Yourself  Vulnerability  Assessment  Program 
DMZ 

demilitarized  zone 
DNS 

Domain  Name  Service 

DOD 

Department  of  Defense 

DODD 

Department  of  Defense  Directive 

DODI 

Department  of  Defense  Instruction 

DOIM 

Director  of  Information  Management 

DRU 

direct  reporting  unit 

EIO&M 

engineering,  implementation,  operation,  and  maintenance 
EK1MS 

Electronic  Key  Management  System 
EOIS 

Employee  Owned  Information  System 
ESEP 

Engineer  and  Scientist  Exchange  Program 

FIPS 

Federal  Information  Processing  Standard 
FISMA 

Federal  Information  Security  Management  Act 
FLO 

foreign  liaison  officer 
FN 

foreign  national 
FOCI 

Foreign  ownership,  control,  or  influence 
FOIA 

Freedom  of  Information  Act 
FOT&E 

follow-on  test  and  evaluation 

FPAT 

Force  Protection  Assessment  Team 
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FY 

fiscal  year 
GOTS 

government-off-the-shelf 

HQDA 

Headquarters,  Department  of  the  Army 
I&A 

identification  and  authentication 

IA 

Information  Assurance 

IAM 

Information  Assurance  Manager 

IANM 

Information  Assurance  Network  Manager 
IANO 

Information  Assurance  Network  Officer 

IAPM 

Information  Assurance  Program  Manager 

IAP&T 

information  assurance  policy  &  technology 
IASO 

Information  Assurance  Security  Officer 

IATC 

interim  authority  to  connect 
IATO 

interim  approval  to  operate 
IATT 

Information  Assurance  Technical  Tip 

IATT 

Interim  Authorization  to  Test  (C&A) 

IAVA 

Information  Assurance  Vulnerability  Alert 

IAVB 

Information  Assurance  Vulnerability  Bulletin 
IAVM 

Information  Assurance  Vulnerability  Management 
ICAN 

Installation  Campus  Area  Network  (installation  backbone) 
ICC 

integrated  circuit  chip 
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IDS 

Intrusion  Detection  System 

IMA 

Installation  Management  Agency 
INFOCON 

information  operations  condition 

INFOSEC 
information  security 

IO 

information  operations 

IOT&E 

initial  operational  test  and  evaluation 
IOVAD 

Information  Operations  Vulnerability  Assessments  Division 


IP 

Internet  Protocol 

IS 

information  system 
ISS 

Information  Systems  Security  (replaced  by  Information  Assurance) 

IT 

information  technology 
ITS 

information  technology  services 

JIM 

Joint  Interagency  and  Multinational 
JDCSISSS 

Joint  DODIIS  Cryptologic  SCI  Information  Systems  Security  Standards 
JKMIWG 

Joint  Key  Management  Infrastructure  Working  Group 
KM  EC 

Key  Management  Executive  Committee 

KMI 

key  management  infrastructure 
KVM/KMM 

keyboard,  video,  mouse/keyboard,  monitor,  mouse 
LAN 

local  area  network 
LCERT 

Local  Computer  Emergency  Response  Team 
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LE/CI 

Law  Enforcement/Counter  Intelligence  Center 
LOC 

level  of  confidentiality 
MAC 

mission  assurance  category 

MAP 

Mitigation  Action  Plan 
MCD 

mobile  computer  device 

MCEB 

Military  Communications  Electronics  Board 

MDEP 

management  decision  package 

MDID 

market  driven/industry  developed 
MEVA 

mission  essential  vulnerable  area 
MOA 

Memorandum  of  Agreement 
MPE 

miscellaneous  processing  equipment 

MPEP 

Military  Personnel  Exchange  Program 
MSC 

major  subordinate  command 

MWR 

morale,  welfare,  and  recreation 
NA 

network  administrator 
NAC 

National  Agency  Check 
NACIC 

National  Agency  Check  with  Credit  Check  and  written  inquiries 
NACLC 

National  Agency  Check  with  Local  Agency  and  Credit  Checks 
NCR 

National  Capital  Region 

NDI 

non-developmental  item 
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NETCOM 

Network  Enterprise  Technology  Command 
NETOPS 

network  operations 
NGB 

National  Guard  Bureau 

NIAP 

National  Information  Assurance  Partnership 
NIST 

National  Institute  of  Standards  and  Technology 
NM 

network  manager 
NSA 

National  Security  Agency 
NSI 

National  Security  Information 
NSS 

National  Security  System 
OCA 

original  classification  authority 
OCONUS 

outside  continental  United  States 
OIA&C 

Office  of  Information  Assurance  and  Compliance 

OPCON 

operational  control 

OPM 

Office  of  Personnel  Management 

ORD 

operation  requirements  document 
OTE 

operational  training  experience 

PDA 

personal  digital  assistant 

PDS 

Protected  Distribution  System 

PED 

personal  electronic  device  or  portable  electronic  device 
PEG 

program  evaluation  group 
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PEO 

program  executive  officer 

PIN 

personal  identification  number 

PL 

public  law  or  protection  level 

PM 

program  manager  or  project  manager  or  product  manager 

POA&M 

Plan  of  Action  and  Milestones 

POLP 

principle  of  least  privilege 

POM 

program  objective  memorandum 

PPS 

ports,  protocols,  and  services 

RA 

remote  access 

RADIUS 

Remote  Authentication  Dial-in  User  System 
RAS 

remote  access  server 

RCERT 

Regional  Computer  Emergency  Response  Team 

RCIO 

regional  chief  information  officer 

RDT&E 

research,  development,  test,  and  evaluation 

ROM 

read  only  memory 
SA 

Systems  Administrator 

SABI 

secret  and  below  interoperability 
SBU 

Sensitive  but  Unclassified  (obsolete  term) 

SCI 

sensitive  compartmented  information 

SETI 

strategic  electronic  technology  information 
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SIAO 

Senior  Information  Assurance  Officer 

SII 

Statement  of  Intelligence  Interest  or  Security/Suitability  Investigations  Index 
SIO 

senior  intelligence  officer 

SIOP-ESI 

Single  Integrated  Operational  Plan-Extremely  Sensitive  Information 

SIR 

serious  incident  report 
SFTP 

Secure  File  Transfer  Protocol 
SISS 

Subcommittee  for  Information  Systems  Security 

SOP 

standard  operating  procedure 
SSAA 

System  Security  Authorization  Agreement 

SSBI 

single-scope  background  investigation 
SSH 

secure  shell 
SSL 

secure  sockets  layer 
SSN 

social  security  number 
SSP 

System  Security  Policy 
STANREP 

standardization  representative 
STEP 

standard  tactical  entry  point 
STIG 

Security  Technical  Implementation  Guide 
STS 

Subcommittee  for  Telecommunications  Security 
SO 

System  Owner 
TA 

technical  advisory 
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TAG 

technical  advisoiy  group 
TDY 

temporary  duty 
TEMP 

Test  and  Evaluation  Master  Plan 
TLA 

Top  Layer  Architecture 
TNOSC 

Theater  Network  Operations  and  Security  Center 
TS 

Top  Secret 
TSACS 

Terminal  Server  Access  Control  System 

TSMB 

Tier  1  System  Management  Board 
TS/SCI 

Top  Secret/Sensitive  Compartmented  Information 
TTP 

tactics,  techniques,  and  procedures 
URL 

universal  resource  locator 
USAAA 

United  States  Army  Audit  Agency 

USERID 

user  identification 

VAT 

vulnerability  assessment  technician 

VIS 

vendor  integrity  statement 
VPN 

virtual  private  network 
WLAN 

wireless  local  area  network 
WWW 

World  Wide  Web 

Section  II 
Terms 

Access 

(IS)  Ability  and  means  to  communicate  with  (that  is,  provide  input  to  or  receive  output  from),  or  otherwise  make 
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of  any  information,  resource,  or  component  in  an  IS.  (COMSEC)  Capability  and  opportunity  to  gain  knowledge  or  to 
alter  information  or  materiel. 

Access  control 

The  process  of  limiting  access  to  the  resources  of  an  IS  only  to  authorized  users,  programs,  processes,  or  other  systems. 
Accountability 

(IS)  Property  that  enables  auditing  of  activities  on  an  IS  to  be  traced  to  persons  who  may  then  be  held  responsible  for 
their  actions.  (COMSEC)  Principle  that  an  individual  is  responsible  for  safeguarding  and  controlling  of  COMSEC 
equipment,  keying  materiel,  and  information  entrusted  to  his  or  her  care  and  is  answerable  to  proper  authority  for  the 
loss  or  misuse  of  that  equipment  or  information. 

Accreditation  Decision 

An  official  designation  from  a  DAA,  in  writing  or  digitally  signed  e-mail,  made  visible  to  the  CIO/G-6,  regarding 
acceptance  of  the  risk  associated  with  operating  an  IS.  Expressed  as  ATO,  IATO,  IATT,  or  DATO. 

Adjunct  Network 

For  the  purpose  of  C&A,  those  networks  that  depend  on  the  connections  to  the  common  transport  network  and  services 
of  the  ICAN.  These  networks  rely  on  the  ICAN  for  NIPRNET  and  SIPRNET  connectivity.  These  may  or  may  not  be 
under  DOIM  management  and  usually  connect  to  the  ICAN  below  the  security  stack.  They  may  be  controlled  by  a 
tenant  as  small  as  an  office  or  as  large  as  a  ACOM/ASCC  headquarters. 

Approval  to  operate 

Synonymous  with  accreditation. 

Army  information 

Information  originated  by  or  concerning  the  Army. 

Audit 

Independent  review  and  examination  of  records  and  activities  to  assess  the  adequacy  of  system  controls,  to  ensure 
compliance  with  established  policies  and  operational  procedures,  and  to  recommend  necessary  changes  in  controls, 
policies,  or  procedures. 

Audit  trail 

Chronological  record  of  system  activities  to  enable  the  construction  and  examination  of  the  sequence  of  events  or 
changes  in  an  event  (or  both).  An  audit  trail  may  apply  to  information  in  an  IS,  to  message  routing  in  a  communica¬ 
tions  system,  or  to  the  transfer  of  COMSEC  materiel. 

Authenticate 

To  verify  the  identity  of  a  user,  user  device,  or  other  entity,  or  the  integrity  of  data  stored,  transmitted,  or  otherwise 
exposed  to  possible  unauthorized  modification  in  an  automated  information  system,  or  to  establish  the  validity  of  a 
transmitted  message. 

Authentication 

Security  measure  designed  to  establish  the  validity  of  a  transmission,  message,  or  originator,  or  a  means  of  verifying  an 
individual’s  identity  or  eligibility  to  receive  specific  categories  of  information  or  perform  specific  actions. 

Authorization  to  operate 

Authorization  granted  by  the  DAA  for  an  information  system  to  process,  store,  or  transmit  information.  Authorization 
is  based  on  acceptability  of  the  solution,  the  system  architecture,  implementation  of  assigned  IA  Controls,  the 
operational  1A  risk  level,  and  the  mission  need. 

Auto-manual  system 

Programmable,  hand-held  COMSEC  equipment  used  to  perform  encoding  and  decoding  functions. 

Automated  information  system  (obsolete  term) 

(See  information  system  (IS)) 

Automated  Information  System  Application 

For  IA  purposes,  the  product  or  deliverable  resulting  from  an  acquisition  program.  An  Automated  Information  System 
(AIS)  application  performs  clearly  defined  functions  for  which  there  are  readily  identifiable  security  considerations  and 
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needs  that  are  addressed  as  part  of  the  acquisition.  An  AIS  application  may  be  a  single  software  application  (for 
example,  integrated  consumable  items  support);  multiple  software  applications  that  are  related  to  a  single  mission  (for 
example,  payroll  or  personnel);  or  a  combination  of  software  and  hardware  performing  a  specific  support  function 
across  a  range  of  missions  (for  example,  Global  Command  and  Control  System,  Defense  Messaging  System).  AIS 
applications  are  deployed  to  enclaves  for  operations,  and  often  have  their  operational  security  needs  assumed  by  the 
enclave.  Note  that  an  AIS  application  is  analogous  to  a  "major  application"  as  defined  in  OMB  A— 130;  however,  this 
term  is  not  used  in  order  to  avoid  confusion  with  the  DOD  acquisition  category  of  major  AIS. 

Automated  Tactical  System 

Any  IS  that  is  used  for  communications,  operations,  or  as  a  weapon  during  mobilization,  deployment,  or  a  tactical 
exercise.  An  Automated  Tactical  System  (ATS)  may  include,  but  is  not  limited  to,  data  processors,  firmware,  hardware, 
peripherals,  software  or  other  interconnected  components  and  devices  (for  example,  radar  equipment,  global  positioning 
devices,  sensors,  guidance  systems  for  airborne  platforms). 

Automated  weapon  systems 

Any  weapons  system  that  utilizes  a  combination  of  computer  hardware  and  software  to  perform  the  functions  of  an 
information  system  (such  as  collecting,  processing,  transmitting,  and  displaying  information)  in  its  operation. 

Availability 

The  state  when  data  are  in  the  place  needed  by  the  user,  at  the  time  the  user  needs  them,  and  in  the  form  needed  by  the 
user. 


Category 

Restrictive  label  that  has  been  applied  to  both  classified  and  unclassified  data,  thereby  increasing  the  requirement  for 
protection  of,  and  restricting  the  access  to,  the  data.  Examples  include  sensitive  compartmented  information,  proprie¬ 
tary  information,  and  North  Atlantic  Treaty  Organization  information.  Individuals  are  granted  access  to  special 
category  information  only  after  being  granted  formal  access  authorization. 

Central  computer  facility 

One  or  more  computers  with  their  peripheral  and  storage  units,  central  processing  units,  and  communications  equip¬ 
ment  in  a  single  controlled  area.  Central  computer  facilities  are  those  areas  where  computer(s)  (other  than  personal 
computers))  are  housed  to  provide  necessary  environmental,  physical,  or  other  controls. 

Certification 

Comprehensive  evaluation  of  the  technical  and  non-technical  security  features  of  an  IS  and  other  safeguards,  made  in 
support  of  the  accreditation  process,  to  establish  the  extent  to  which  a  particular  design  and  implementation  meets  a  set 
of  specified  security  requirements. 

Certification  and  accreditation 

The  standard  DOD  approach  for  identifying  information  security  requirements,  providing  security  solutions,  and 
managing  the  security  of  DOD  information  systems. 

Certification  authority 

Government  civilian  or  military  official  with  the  authority  and  responsibility  for  formal  evaluation  of  the  IA  capabili¬ 
ties  and  services  of  an  information  system  and  risks  associated  with  operation  of  the  information  system.  The  Army 
CA  is  the  Army  FISMA  SIAO,  the  Director  OIA&C,  NETC-EST-I. 

Certification  support 

Those  activities  associated  with  coordination  of  certification  events  such  as  preparation  for  certification  test  activities, 
conduct  of  the  certification  event(s),  preparation  of  the  Certification  Report,  preparation  of  the  certification  scorecard, 
and  preparation  of  the  ISs  risk  assessment.  Certification  support  does  not  include  those  functions  that  are  the 
responsibility  of  the  system  owner  (for  example.  Information  System  Security  Engineering,  primary  SSAA  develop¬ 
ment,  SSAA  consolidation  prior  to  submission  for  approval,  or  POA&M  development). 

Certification  event 

An  evaluation  of  an  information  system  to  determine  compliance  with  IA  Controls.  This  may  be  in  support  of  an 
IATO,  IATT,  ATO,  or  DATO. 
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Classified  defense  information 

Official  information  regarding  national  security  that  has  been  designated  top  secret,  secret,  or  confidential  in  accord¬ 
ance  with  Executive  Order  12958,  as  amended  by  Executive  Orders  12972,  13142,  and  13292. 

Clearing 

Removal  of  data  from  an  IS,  its  storage  devices,  and  other  peripheral  devices  with  storage  capacity  in  such  a  way  that 
the  data  may  not  be  reconstructed  using  normal  system  capabilities  (for  example,  through  the  keyboard).  An  IS  need 
not  be  disconnected  from  any  external  network  before  clearing  takes  place.  Clearing  enables  a  product  to  be  reused 
within  the  same  environment  at  the  same  classification  and  confidentiality  level.  It  does  not  produce  a  declassified 
product  by  itself,  but  may  be  the  first  step  in  the  declassification  process  (see  Purge). 

Commercial  Communications  Security  Endorsement  Program 

Relationship  between  the  National  Security  Agency  and  industry,  in  which  the  National  Security  Agency  provides  the 
COMSEC  expertise  (that  is,  standards,  algorithms,  evaluations,  and  guidance)  and  industry  provides  design,  develop¬ 
ment,  and  production  capabilities  to  produce  a  type  1  or  type  2  product.  Products  developed  under  the  Commercial 
COMSEC  Endorsement  Program  may  include  modules,  subsystems,  equipment,  systems,  and  ancillary  devices. 

Compartmented  mode 

IS  security  mode  of  operation  wherein  each  user  with  direct  or  indirect  access  to  the  system,  its  peripherals,  remote 
terminals,  or  remote  hosts  has  all  of  the  following:  (1)  Valid  security  clearance  for  the  most  restricted  information 
processed  in  the  system;  (2)  Formal  access  approval  and  signed  non-disclosure  agreements  for  that  information  to 
which  a  user  is  to  have  access;  and  (3)  Valid  need-to-know  for  information  to  which  a  user  is  to  have  access. 

Compromising  emanations 

Unintentional  signals  that,  if  intercepted  and  analyzed,  would  disclose  the  information  transmitted,  received,  handled, 
or  otherwise  processed  by  telecommunications  or  automated  information  systems  equipment  (see  TEMPEST). 

Computer 

A  machine  capable  of  accepting  data,  performing  calculations  on,  or  otherwise  manipulating  that  data,  storing  it,  and 
producing  new  data. 

Computer  facility 

Physical  resources  that  include  structures  or  parts  of  structures  that  support  or  house  computer  resources.  The  physical 
area  where  the  equipment  is  located. 

Computer  security 

Measures  and  controls  that  ensure  confidentiality,  integrity,  and  availability  of  the  information  processed  and  stored  by 
a  computer. 

Confidentiality 

Assurance  that  information  is  not  disclosed  to  unauthorized  entities  or  processes. 

Configuration  control 

Process  of  controlling  modifications  to  a  telecommunication  or  information  system  hardware,  firmware,  software,  and 
documentation  to  ensure  the  system  is  protected  against  improper  modifications  prior  to,  during,  and  after  system 
implementation. 

Configuration  management 

The  management  of  security  features  and  assurances  through  control  of  changes  made  to  hardware,  software,  firmware, 
documentation,  test,  test  fixtures,  and  test  documentation  of  an  IS  throughout  the  development  and  operational  life  of 
the  system. 

Contingency  plan 

A  plan  maintained  for  emergency  response,  backup  operations,  and  post-disaster  recovery  for  an  IS,  as  a  part  of  its 
security  program,  that  will  ensure  the  availability  of  critical  resources  and  facilitate  the  continuity  of  operations  in  an 
emergency  situation. 

Controlled  access  protection 

Log-in  procedures,  audit  of  security-relevant  events,  and  resource  isolation  as  prescribed  for  class  C2  in  DOD  5200. 
28-STD. 
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Controlled  cryptographic  item 

Secure  telecommunications  or  information  handling  equipment,  or  associated  cryptographic  component,  that  is  unclas¬ 
sified  but  governed  by  a  special  set  of  control  requirements.  Such  items  are  marked  CONTROLLED  CRYPTO¬ 
GRAPHIC  ITEM  or,  where  space  is  limited,  controlled  cryptographic  item. 

Countermeasure 

An  action,  device,  procedure,  technique,  or  other  measure  that  reduces  the  vulnerability  of  an  IS. 

Cryptographic 

Pertaining  to,  or  concerned  with,  cryptography. 

Cryptographic  equipment 

Equipment  that  embodies  a  cryptographic  logic. 

Cryptography 

Principles,  means,  and  methods  for  rendering  plain  information  unintelligible  and  for  restoring  encrypted  information  to 
intelligible  form. 

Data  security 

Protection  of  data  from  unauthorized  (accidental  or  intentional)  modification,  destruction,  or  disclosure. 

Declassification  (of  magnetic  storage  media) 

An  administrative  procedure  resulting  in  a  determination  that  classified  information  formerly  stored  on  a  magnetic 
medium  has  been  removed  or  overwritten  sufficiently  to  permit  reuse  in  an  unclassified  environment. 

Defense  in  Depth 

The  DiD  encompasses  a  physical  and  logical  structure  that  requires  a  layering  of  security  policies,  procedures,  and 
technology  mechanisms  to  protect  network  resources,  from  the  desktop  to  the  enterprise,  within  and  across  the 
enterprise  architecture.  Layered  defenses  include,  but  are  not  limited  to,  the  installation  of  IA  policy  protections 
complementing  the  use  of  proxy  services,  firewalls,  IDSs,  implementation  of  DMZs,  redundant  filtering  policies  across 
devices,  and  access  control  and  accountability. 

Degauss 

Destroy  information  contained  in  magnetic  media  by  subjecting  that  media  to  high-intensity  alternating  magnetic  fields, 
following  which  the  magnetic  fields  slowly  decrease. 

Demilitarized  zone 

A  small  network  or  computer  host  that  serves  as  a  “neutral  zone”  between  an  internal  network  and  the  public  network. 
A  DMZ  prevents  users  from  obtaining  direct  access  to  an  internal  server  that  may  have  business  data  on  it.  A  DMZ  is 
another  approach  to  the  use  of  a  firewall  and  can  act  as  a  proxy  server  if  desired. 

Denial  of  service 

Result  of  any  action  or  series  of  actions  that  prevents  any  part  of  a  telecommunications  or  IS  from  functioning. 

Designated  approving  authority 

A  general  officer  (GO),  SES  or  equivalent  official  appointed  by  the  Army  CIO/G-6  with  the  authority  to  formally 
assume  responsibility  for  operating  a  system  at  an  acceptable  level  of  risk.  This  term  is  synonymous  with  Designated 
Authorization  Authority  and  Delegated  Accrediting  Authority. 

DATO 

DAA  determination  that  an  information  system  cannot  operate  because  of  an  inadequate  IA  design  or  failure  to 
implement  assigned  IA  controls.  If  the  system  is  already  in  use,  operation  of  the  system  is  halted. 

Digital  signature 

An  electronic  rather  than  a  written  signature  used  by  someone  to  authenticate  the  identity  of  a  sender  of  a  message  or 
signer  of  a  document.  A  digital  signature  ensures  that  the  content  of  a  message  or  document  is  unaltered.  Digital 
signatures  can  be  time-stamped,  cannot  be  imitated  by  another  person,  cannot  be  easily  repudiated,  and  are 
transportable. 

Discretionary  access  control  (DAC) 

Means  of  restricting  access  to  objects  based  on  the  identity  and  need-to-know  of  users  or  groups  to  which  the  object 
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belongs.  Controls  are  discretionary  in  the  sense  that  a  subject  with  certain  access  permission  is  capable  of  passing  that 
permission  (directly  or  indirectly)  to  any  other  subject. 

Eavesdropping 

Method  used  by  an  unauthorized  individual  to  obtain  sensitive  information  (for  example,  passwords,  data)  from  a 
network.  Eavesdropping  techniques  include  wiretapping,  eavesdropping  by  radio,  eavesdropping  via  auxiliary  ports  on 
a  terminal,  and  use  of  software  that  monitors  packets  sent  over  a  network.  Vulnerable  network  programs  are  telnet  and 
ftp. 

Embedded  cryptography 

Cryptography  that  is  engineered  into  a  piece  of  equipment  or  system  the  basic  function  of  which  is  not  cryptographic. 
Components  comprising  the  cryptographic  module  are  inside  the  equipment  or  system  and  share  host-device  power  and 
housing.  The  cryptographic  function  may  be  dispersed  if  identifiable  as  a  separate  module  within  the  host. 

Embedded  (computer)  system 

Computer  system  that  is  an  integral  part  of  a  larger  system  or  subsystem  that  performs  or  controls  a  function,  either  in 
whole  or  in  part. 

Emission  security 

Protection  resulting  from  all  measures  taken  to  deny  unauthorized  persons  information  of  value  that  might  be  derived 
from  intercept  and  analysis  of  compromising  emanations  from  cryptographic  equipment,  ISs,  and  telecommunications 
systems. 

Enclave 

The  collection  of  computing  environments  connected  by  one  or  more  internal  networks,  under  the  control  of  a  single 
authority  and  security  policy  that  includes  personnel  and  physical  security.  Enclaves  always  assume  the  highest  mission 
assurance  category  and  security  classification  of  the  AIS  applications  or  outsourced  IT-based  processes  they  support, 
and  derive  their  security  needs  from  those  systems.  They  provide  standard  IA  capabilities  such  as  boundary  defense, 
incident  detection  and  response,  and  key  management,  and  also  deliver  common  applications  such  as  office  automation 
and  electronic  mail.  Enclaves  may  be  specific  to  an  organization  or  a  mission,  and  the  computing  environments  may  be 
organized  by  physical  proximity  or  by  function  independent  of  location.  Examples  of  enclaves  include  local  area 
networks  and  the  applications  they  host,  backbone  networks,  and  data  processing  centers. 

Extranet 

A  private  network  that  uses  Internet  protocols  and  the  public  telecommunications  system  to  securely  share  information 
among  selected  external  users.  An  Extranet  requires  the  use  of  firewalls,  authentication,  encryption,  and  VPNs  that 
tunnel  through  the  public  network. 

File  server 

Computer  hardware  used  to  provide  storage  for  user  data  and  software  applications,  processing  capabilities  for  user 
workstations,  and  (normally)  connection  and  control  of  workstations  to  a  LAN. 

Firewall 

A  system  or  group  of  systems  that  enforces  an  access  control  policy  between  two  networks  with  the  properties  of 
allowing  only  authorized  traffic  to  pass  between  the  networks  from  inside  and  outside  the  controlled  environment  and 
is  immune  to  penetration. 

Firmware 

Software  that  is  permanently  stored  in  a  hardware  device  that  allows  reading  and  executing  the  software,  but  not 
writing  or  modifying  it. 

Fly  Away  C&A  package  (tactical  deployed) 

Tactical  C&A  package  that  supports  tactical  IS  deployment  and  contains  the  minimum  amount  of  C&A  information 
necessary  for  secure  operations  and  allow  connection  to  a  network  in  their  deployed  location. 

Foreign  exchange  personnel 

Military  members  or  civilian  officials  of  a  foreign  defense  establishment  (that  is,  a  DOD  equivalent)  who  are  assigned 
to  a  DOD  component  in  accordance  with  the  terms  of  an  exchange  agreement  and  who  perform  duties,  prescribed  by  a 
position  description,  for  the  DOD  component. 
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Foreign  liaison  officers 

A  foreign  government  military  or  civilian  employee  who  is  authorized  by  his  or  her  government,  and  is  certified  by  the 
DOD  Component,  to  act  as  an  official  representative  of  that  government  in  its  dealing  with  the  DOD  component  in 
connection  with  programs,  projects,  or  agreements  of  interest  to  the  governments.  Three  types  of  foreign  liaison 
officers  include  security  cooperation,  operational,  and  national  representatives. 

Foreign  national 

Non-U. S.  citizens  who  normally  reside  in  the  country  where  employed,  though  they  may  not  be  citizens  of  that 
country,  and  who  are  employed  by  the  Government  or  the  DA  to  perform  services  or  duties  and  are  not  considered  a 
foreign  official  or  representative  of  that  nation. 

Foreign  official 

Non-U.S.  citizens  who  may  or  may  not  reside  in  the  country  where  employed,  who  are  employed  by  their  respective 
nation  as  an  official  representative  of  that  nation  in  their  official  capacity,  and  assigned  to  the  Government  or  DA 
organizations  or  commands  in  the  role  of  liaison,  representative,  engineer,  scientist,  or  a  member  of  the  Military 
Personnel  Exchange  Program. 

Formal  access  approval 

Documented  approval  by  a  data  owner  to  allow  access  to  a  particular  category  of  information. 

Foreign  ownership,  control,  or  influence 

A  company  is  considered  to  be  under  foreign  ownership,  control,  or  influence  whenever  a  foreign  interest  has  the  direct 
or  indirect  power  either  through  the  ownership  of  the  company’s  securities,  contractual  arrangements,  or  other  means; 
to  direct  or  decide  matters  affecting  the  operations  of  that  company.  This  influence  may  result  in  unauthorized  access 
to  classified  or  sensitive  information,  information  systems,  or  information  systems  architectures. 

Information  assurance  product 

Product  or  technology  whose  primary  purpose  is  to  provide  security  services  (for  example,  confidentiality,  authentica¬ 
tion,  integrity,  access  control,  or  non-repudiation  of  data);  correct  known  vulnerabilities;  or  provide  layered  defense 
against  various  categories  of  non-authorized  or  malicious  penetrations  of  information  systems  or  networks.  Examples 
include  such  products  as  data/network  encryptors,  firewalls,  and  intrusion  detection  devices. 

Information  assurance-enabled  product 

Product  or  technology  whose  primary  role  is  not  security,  but  which  provides  security  services  as  an  associated  feature 
of  its  intended  operating  capabilities.  Examples  include  such  products  as  security-enabled  web  browsers,  screening 
routers,  trusted  operating  systems,  and  security-enabled  messaging  systems. 

IAA  view 

See  interconnected  accredited  IS  view. 

Information  owner 

Government,  civilian  or  military  official  with  statutory  or  operational  authority  for  specified  information,  and  responsi¬ 
bility  for  establishing  the  controls  for  its  generation,  collection,  processing,  dissemination  and  disposal.  Information 
owners  will  ensure  that  the  DA  information  entrusted  to  their  care  is  store,  processed,  or  transmitted  only  on 
information  systems  that  have  obtained  IA  approval  to  operate  in  accordance  with  Army  processes  for  the  confiden¬ 
tiality  level  of  their  information.  This  applies  to  all  systems,  to  include  services  on  COCO  systems  as  well  as  GOCO 
systems. 

Interconnected  accredited  information  system  view 

If  a  network  consists  of  previously  accredited  ISs,  a  MOA  is  required  between  the  DAA  of  each  DOD  component  IS 
and  the  DAA  responsible  for  the  network.  The  network  DAA  must  ensure  that  interface  restrictions  and  limitations  are 
observed  for  connections  between  DOD  Component  ISs.  In  particular,  connections  between  accredited  ISs  must  be 
consistent  with  the  mode  of  operation  of  each  IS  as  well  as  the  specific  sensitivity  level  or  range  of  sensitivity  levels 
for  each  IS.  If  a  component  that  requires  an  external  connection  to  perform  a  useful  function  is  accredited,  it  must 
comply  with  any  additional  interface  constraints  associated  with  the  particular  interface  device  used  for  the  connection 
as  well  as  any  other  restrictions  required  by  the  MOA. 

Information  system 

Set  of  information  resources  organized  for  the  collection,  storage,  processing,  maintenance,  use,  sharing,  dissemination. 
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disposition,  display,  or  transmission  of  information.  Includes  A1S  applications,  enclaves,  outsourced  IT-based 
processes,  and  platform  IT  interconnections. 

Information  assurance 

The  protection  of  systems  and  information  in  storage,  processing,  or  transit  from  unauthorized  access  or  modification; 
denial  of  service  to  unauthorized  users;  or  the  provision  of  service  to  authorized  users.  It  also  includes  those  measures 
necessary  to  detect,  document,  and  counter  such  threats.  Measures  that  protect  and  defend  information  and  ISs  by 
ensuring  their  availability,  integrity,  authentication,  confidentiality,  and  non-repudiation.  This  includes  providing  for 
restoration  of  ISs  by  incorporating  protection,  detection,  and  reaction  capabilities.  This  regulation  designates  1A  as  the 
security  discipline  that  encompasses  COMSEC,  INFOSEC,  and  control  of  compromising  emanations  (TEMPEST). 

Information  Assurance  Vulnerability  Management  (IAVM) 

IAVM  is  the  DOD  program  to  identify  and  resolve  identified  vulnerabilities  in  operating  systems.  It  requires  the 
completion  of  four  distinct  phases  to  ensure  compliance. 

Information  dissemination  management 

Activities  to  support  the  management  of  information  and  data  confidentiality,  integrity,  and  availability,  including 
document  management,  records  management,  official  mail,  and  work-flow  management. 

Information  technology  (IT) 

The  hardware,  firmware,  and  software  used  as  a  part  of  an  information  system  to  perform  DOD  information  functions. 
This  definition  includes  computers,  telecommunications,  automated  information  systems,  and  automatic  data  processing 
equipment.  IT  includes  any  assembly  of  hardware,  software,  or  firmware  configured  to  collect,  create,  communicate, 
compute,  disseminate,  process,  store,  or  control  data  or  information. 

Integrity 

The  degree  of  protection  for  data  from  intentional  or  unintentional  alteration  or  misuse. 

Intelligence  information 

Information  collected  and  maintained  in  support  of  a  U.S.  intelligence  mission. 

Interim  authority  to  operate 

Temporary  authorization  granted  by  the  DAA  to  operate  an  information  system  under  the  conditions  or  constraints 
enumerated  in  the  Accreditation  Decision. 

Interim  authority  to  test  (certification  and  accreditation) 

Temporary  authorization  granted  by  the  DAA  to  test  an  information  system  in  a  specified  operational  information 
environment  (usually  a  live  information  environment  or  with  live  data)  within  the  timeframe  and  under  the  conditions 
or  constraints  enumerated  in  the  Accreditation  Decision. 

Incident 

Assessed  occurrence  having  actual  or  potentially  adverse  effects  on  an  information  system. 

Internet 

A  global  collaboration  of  data  networks  that  are  connected  to  each  other,  using  common  protocols  (for  example,  TCP/ 
IP)  to  provide  instant  access  to  an  almost  indescribable  wealth  of  information  from  computers  around  the  world. 

Intranet 

Similar  to  the  Internet,  but  is  accessible  only  by  the  organization’s  employees  or  others  with  authorization.  Usually 
internal  to  a  specific  organization. 

Installation  Campus  Area  Network 

The  common  transport  network  provided  by  the  responsible  DOIM  on  every  Army  post/camp/station  and  the  associated 
common  network  services,  including  network  management  and  IA  services.  The  ICAN  is  often  commonly  referred  to 
as  the  backbone  network. 

Information  system  security  incident  (security  incident) 

Any  unexplained  event  that  could  result  in  the  loss,  corruption,  or  denial  of  access  to  data,  as  well  as  any  event  that 
cannot  be  easily  dismissed  or  explained  as  normal  operations  of  the  system.  Also,  an  occurrence  involving  classified  or 
sensitive  information  being  processed  by  an  IS  where  there  may  be:  a  deviation  from  the  requirements  of  the  governing 
security  regulations;  a  suspected  or  confirmed  compromise  or  unauthorized  disclosure  of  the  information;  questionable 
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data  or  information  integrity  (for  example,  unauthorized  modification);  unauthorized  modification  of  data;  or  unavail¬ 
able  information  for  a  period  of  time.  An  attempt  to  exploit  any  IS  such  that  the  actual  or  potential  adverse  effects  may 
involve  fraud,  waste,  or  abuse;  compromise  of  information;  loss  or  damage  of  property  or  information;  or  denial  of 
service.  Security  incidents  include  penetration  of  computer  systems,  exploitation  of  technical  and  administrative 
vulnerabilities,  and  introduction  of  computer  viruses  or  other  forms  of  malicious  code.  (A  security  incident  may  also 
involve  a  violation  of  law.  If  a  violation  of  law  is  evident  or  suspected,  the  incident  must  also  be  reported  to  both 
security  and  law  enforcement  organizations  for  appropriate  action.)  (NSTISSD  503) 

Information  system  serious  incident 

Any  event  that  poses  grave  danger  to  the  Army’s  ability  to  conduct  established  information  operations. 

Key 

Information  (usually  a  sequence  of  random  or  pseudo-random  binary  digits)  used  initially  to  set  up  and  periodically  to 
change  the  operations  performed  in  crypto-equipment  for  the  purpose  of  encrypting  or  decrypting  electronic  signals,  for 
determining  electronic  counter-measures  patterns  (for  example,  frequency  hopping  or  spread  spectrum),  or  for  produc¬ 
ing  another  key. 

Key  management 

Process  by  which  a  key  is  generated,  stored,  protected,  transferred,  loaded,  used,  and  destroyed. 

Least  privilege 

Principle  that  requires  that  each  subject  be  granted  the  most  restrictive  set  of  privileges  needed  for  the  performance  of 
authorized  tasks.  This  also  applies  to  system  privileges  that  might  not  be  needed  to  perform  their  assigned  job.  NOTE: 
Application  of  this  principle  limits  the  damage  that  can  result  from  errors,  and  accidental  and  unauthorized  use  of  an 
IS. 


Limited  privileged  access 

Privileged  access  with  limited  scope  (for  example,  authority  to  change  user  access  to  data  or  system  resources  for  a 
single  information  system  or  physically  isolated  network). 

Local  area  network 

A  system  that  allows  microcomputers  to  share  information  and  resources  within  a  limited  (local)  area. 

Machine  cryptosystem 

Cryptosystem  in  which  the  cryptographic  processes  are  performed  by  crypto-equipment. 

Mainframe 

A  computer  system  that  is  characterized  by  dedicated  operators  (beyond  the  system  users);  high  capacity,  distinct 
storage  devices;  special  environmental  considerations;  and  an  identifiable  computer  room  or  complex. 

Malicious  code 

Software  or  firmware  capable  of  performing  an  unauthorized  function  on  an  IS. 

Malicious  software  code 

Any  software  code  intentionally  created  or  introduced  into  a  computer  system  for  the  distinct  purpose  of  causing  harm 
or  loss  to  the  computer  system,  its  data,  or  other  resources.  Many  users  equate  malicious  code  with  computer  viruses, 
which  can  lie  dormant  for  long  periods  of  time  until  the  computer  system  executes  the  trigger  that  invokes  the  virus  to 
execute.  Within  the  last  several  years,  the  Internet  has  been  the  conduit  of  various  types  of  computer  viruses.  However, 
there  are  other  types  of  malicious  codes  used  to  cause  havoc  that  are  not  as  well  publicized  as  the  virus. 

Mission  assurance  category 

Reflects  the  importance  of  information  relative  to  the  achievement  of  DOD  goals  and  objectives,  particularly  the 
warfighters’  combat  mission.  Mission  assurance  categories  are  primarily  used  to  determine  the  requirements  for 
availability  and  integrity. 

Manual  cryptosystem 

Cryptosystem  in  which  the  cryptographic  processes  are  performed  manually  without  the  use  of  crypto-equipment  or 
auto-manual  devices. 
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Military  information  environment 

The  environment  contained  within  the  global  information  environment,  consisting  of  information  systems  and  organiza- 
tions-friendly  and  adversary,  military  and  non-military-that  support,  enable,  or  significantly  influence  a  specific  military 
operation. 

Monitoring 

Monitoring  is  the  observation  of  a  resource  for  the  purpose  of  ascertaining  its  status  or  operational  state.  Monitoring 
includes  the  automated,  real  or  near-real  time  interception  of  information  transiting  the  system  or  network  by  a  system 
or  network  administrator  during  the  normal  course  of  employment  while  engaged  in  activities  necessary  to  keep  the 
system  or  network  operational  and  to  protect  the  rights  and  property  of  the  system  or  network  owner.  For  example, 
automated  monitoring  or  logging  of  system  or  network  events  (such  as  by  IDS,  IPS,  firewalls,  and  so  on)  can  provide 
valuable  information  related  to  malicious  content  of  communications;  unauthorized  access,  exceeding  access  or  misuse 
of  systems  or  networks;  policy  and  criminal  violations,  etc.  as  well  as  the  performance  of  the  systems.  Because  most 
electronic  communications  do  not  involves  “parties  to  the  conversation,”  monitoring  by  system  and  network  adminis¬ 
trators  is  not  “electronic  surveillance”  as  defined  in  AR  381-10. 

Multilevel  (security)  mode 

IS  security  mode  of  operation  wherein  all  the  following  statements  are  satisfied  concerning  the  users  who  have  direct 
or  indirect  access  to  the  system,  its  peripherals,  remote  terminals,  or  remote  hosts: 

a.  Some  users  do  not  have  a  valid  security  clearance  for  all  the  information  processed  in  the  IS. 

b.  All  users  have  the  proper  security  clearance  and  appropriate  formal  access  approval  for  that  information  to  which 
they  have  access. 

c.  All  users  have  a  valid  need-to-know  only  for  information  to  which  they  have  access. 

Multilevel  security 

Concept  of  processing  information  with  different  classifications  and  categories  that  simultaneously  permits  access  by 
users  with  different  security  clearances,  but  prevents  users  from  obtaining  access  to  information  for  which  they  lack 
authorization. 

National  Security  System  (44  USC  3542) 

Any  information  system  (including  any  telecommunications  system)  used  or  operated  by  an  agency  or  by  a  contractor 
of  an  agency,  or  other  organization  on  behalf  of  an  agency  -  (i)  the  fiinction,  operation,  or  use  of  which  involves 
intelligence  activities;  involves  cryptologic  activities  related  to  national  security;  involves  command  and  control  of 
military  forces;  involves  equipment  that  is  an  integral  part  of  a  weapon  or  weapons  system;  or  is  critical  to  the  direct 
fulfillment  of  military  or  intelligence  missions  (excluding  a  system  that  is  to  be  used  for  routine  administrative  and 
business  applications,  for  example,  payroll,  finance,  logistics,  and  personnel  management  applications);  or,  (ii)  is 
protected  at  all  times  by  procedures  established  for  information  that  have  been  specifically  authorized  under  criteria 
established  by  an  Executive  Order  or  an  Act  of  Congress  to  be  kept  classified  in  the  interest  of  national  defense  or 
foreign  policy. 

Need-to-know 

Approved  access  to,  or  knowledge  or  possession  of,  specific  information  required  to  cany  out  official  duties. 
Net-centricity 

A  robust  globally  connected  network  environment  (including  infrastructure,  systems,  processes,  and  people)  in  which 
data  is  shared  timely  and  seamlessly  among  users,  applications,  and  platforms.  Net-centricity  enables  substantially 
improved  military  situational  awareness  and  significantly  shortened  decision  making  cycles. 

Network 

Communications  medium  and  all  components  attached  to  that  medium  whose  function  is  the  transfer  of  information. 
Components  may  include  ISs,  packet  switches,  telecommunications  controllers,  key  distribution  centers,  and  technical 
control  devices. 

Network  management 

Activities  to  support  the  management  and  support  of  the  network,  including  the  engineering  of  changes  to  the  network, 
maintenance  of  the  network  and  its  components,  and  user  support  activities. 

Network  operations 

The  organizations  and  procedures  required  to  monitor,  manage,  and  control  the  global  information  grid.  Network 
operations  incorporate  network  management,  IA,  and  information  dissemination  management. 
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Network  security 

Protection  of  networks  and  their  services  from  unauthorized  modification,  destruction,  or  disclosure.  It  provides 
assurance  the  network  performs  its  critical  functions  correctly  and  there  are  no  harmful  side  effects. 

Networthiness 

The  networthiness  program  manages  the  specific  risks  associated  with  the  fielding  of  ISs  and  supporting  efforts, 
requires  formal  certification  throughout  the  life  cycle  of  all  ISs  that  use  the  infostructure,  and  sustains  the  health  of  the 
Army  enterprise  infostructure. 

Networthiness  certification 

The  Army’s  networthiness  certification  process  incorporates  and  demonstrates  the  completeness  of  guidance,  formats, 
and  practices  such  as  the  Army  knowledge  enterprise;  the  Command,  Control,  Communications,  Computers  and 
Intelligence  Support  Plan  (C4ISP);  the  DIACAP;  and  existing  developmental  and  operational  test  requirements. 

Non-communications  emitter 

Any  device  that  radiates  electromagnetic  energy  for  purposes  other  than  communicating  (for  example,  radar,  naviga¬ 
tional  aids,  and  laser  range  finders).  A  non-communication  emitter  may  include  features  normally  associated  with 
computers,  in  which  case  it  must  also  meet  the  requirements  for  an  IS. 

Non-privileged  access 

User-level  access;  normal  access  given  to  a  typical  user.  Generally,  all  access  to  system  resources  is  controlled  in  a 
way  that  does  not  permit  those  controls  and  rules  to  be  changed  or  bypassed  by  a  typical  user. 

Operations  Security 

For  the  DOD  components,  OPSEC  is  a  process  of  identifying  critical  information  and  subsequently  analyzing  friendly 
actions  attendant  to  defense  acquisition,  defense  activities,  military  operations,  and  other  activities  to: 

a.  Identify  those  actions  that  may  be  observed  by  adversary  intelligence  systems. 

b.  Determine  what  indicators  hostile  intelligence  systems  may  obtain  that  could  be  interpreted  or  pieced  together  to 
derive  critical  information  in  time  to  be  useful  to  adversaries. 

c.  Select  and  execute  measures  that  eliminate  or  reduce  to  an  acceptable  level  the  vulnerabilities  of  friendly  actions 
to  adversary  exploitation. 

Outsourced  IT-based  Process 

For  DOD  IA  purposes,  an  outsourced  IT-based  process  is  a  general  term  used  to  refer  to  outsourced  business  processes 
supported  by  private  sector  information  systems,  outsourced  information  technologies,  or  outsourced  information 
services.  An  outsourced  IT-based  process  performs  clearly  defined  functions  for  which  there  are  readily  identifiable 
security  considerations  and  needs  that  are  addressed  in  both  acquisition  and  operations. 

Password 

Protected  or  private  character  string  used  to  authenticate  an  identity  or  to  authorize  access  to  data. 

Personal  computer 

See  information  system. 

Personal  digital  assistant 

A  hand-held  computer  that  allows  an  individual  to  store,  access,  and  organize  information.  Most  PDAs  work  on  either 
a  Windows-based  or  a  Palm  operating  system.  PDAs  can  be  screen-based  or  keyboard-based,  or  both. 

Personal  electronic  devices 

A  generic  title  used  to  describe  myriad  available  small  electronic  portable  devices  that  employ  the  wireless  application 
protocol  and  other  “open  standards". 

Personal  e-mail  account 

An  e-mail  account  acquired  by  an  individual  for  personal  use.  Also  know  as  a  private  account. 

Platform  information  technology  interconnection 

For  DOD  IA  purposes,  platform  IT  interconnection  refers  to  network  access  to  platform  IT.  Platform  IT  interconnection 
has  readily  identifiable  security  considerations  and  needs  that  must  be  addressed  in  both  acquisition,  and  operations. 
Platform  IT  refers  to  computer  resources,  both  hardware  and  software,  that  are  physically  part  of,  dedicated  to,  or 
essential  in  real  time  to  the  mission  performance  of  special  purpose  systems  such  as  weapons,  training  simulators, 
diagnostic  test  and  maintenance  equipment,  calibration  equipment,  equipment  used  in  the  research  and  development  of 
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weapons  systems,  medical  technologies,  transport  vehicles,  buildings,  and  utility  distribution  systems  such  as  water  and 
electric.  Examples  of  platform  IT  interconnections  that  impose  security  considerations  include  communications  inter¬ 
faces  for  data  exchanges  with  enclaves  for  mission  planning  or  execution,  remote  administration,  and  remote  upgrade 
or  reconfiguration. 

Principle  of  least  privilege 

The  principle  of  least  privilege  requires  that  a  user  be  given  no  more  privilege  than  necessary  to  perform  a  job. 
Ensuring  least  privilege  requires  identifying  what  the  user’s  job  is,  determining  the  minimum  set  of  privileges  required 
to  perform  that  job,  and  restricting  the  user  to  a  system  or  domain  with  those  privileges  and  nothing  more. 

Private  account 

See  personal  e-mail  account. 

Privileged  access 

Authorized  access  that  provides  a  capability  to  alter  the  properties,  behavior,  or  control  of  the  information  system  or 
network.  It  includes,  but  is  not  limited  to,  any  of  the  following  types  of  access: 

a.  “Super  user,”  “root,”  or  equivalent  access,  such  as  access  to  the  control  functions  of  the  information  system  or 
network,  administration  of  user  accounts,  and  so  forth. 

b.  Access  to  change  control  parameters  (for  example,  routing  tables,  path  priorities,  addresses)  of  routers,  multi¬ 
plexers,  and  other  key  information  system  or  network  equipment  or  software. 

c.  Ability  and  authority  to  control  and  change  program  files,  and  other  users’  access  to  data. 

d.  Direct  access  (also  called  unmediated  access)  to  functions  at  the  operating-system  level  that  would  permit  system 
controls  to  be  bypassed  or  changed. 

e.  Access  and  authority  for  installing,  configuring,  monitoring,  or  troubleshooting  the  security  monitoring  functions 
of  information  systems  or  networks  (for  example,  network  or  system  analyzers;  intrusion  detection  software;  firewalls) 
or  in  performance  of  cyber  or  network  defense  operations. 

Protected  Distribution  System 

Wire-line  or  fiber-optic  telecommunications  system  that  includes  terminals  and  adequate  acoustic,  electrical, 
electromagnetic,  and  physical  safeguards  to  permit  its  use  for  the  unencrypted  transmission  of  classified  information. 

Proxy  server 

A  server  acting  on  behalf  of  another  server  or  servers.  Such  an  arrangement  allows  a  single  point  of  entry  or  exit  into  a 
TCP/IP  network.  A  proxy  server  may  also  have  built-in  software  that  will  allow  it  to  be  configured  to  act  as  a  firewall, 
cache  server,  or  logging  server. 

Purge 

Removal  of  data  from  an  IS,  its  storage  devices,  or  other  peripheral  devices  with  storage  capacity  in  such  a  way  that 
the  data  may  not  be  reconstructed.  An  IS  must  be  disconnected  from  any  external  network  before  a  purge  (see 
Clearing). 

RADIUS 

Remote  Authentication  Dial-In  User  Service  is  a  protocol  by  which  users  can  have  access  to  secure  networks  through  a 
centrally  managed  server.  RADIUS  provides  authentication  for  a  variety  of  services,  such  as  login,  dial-back,  serial  line 
Internet  protocol  (SLIP),  and  point-to-point  protocol  (PPP). 

Remote  access  server 

A  server  that  is  dedicated  to  handling  users  that  are  not  on  a  LAN,  but  need  remote  access  to  it.  The  remote  access 
server  allows  users  to  gain  access  to  files  and  print  services  on  the  LAN  from  a  remote  location.  For  example,  a  user 
who  dials  into  a  network  from  home  using  an  analog  modem  or  an  ISDN  connection  will  dial  into  a  remote  access 
server.  Once  the  user  is  authenticated  he  can  access  shared  drives  and  printers  as  if  he  were  physically  connected  to  the 
office  LAN. 

Remote  terminal 

A  terminal  that  is  not  in  the  immediate  vicinity  of  the  IS  it  accesses.  This  is  usually  associated  with  a  mainframe 
environment  and  the  use  of  a  terminal.  Terminals  usually  cannot  operate  in  a  stand-alone  mode. 

Risk 

The  probability  that  a  particular  threat  will  exploit  a  particular  vulnerability  of  an  information  system  or  telecommuni¬ 
cations  system. 
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Risk  assessment 

Process  of  analyzing  threats  to  and  vulnerabilities  of  an  information  system,  and  determining  potential  adverse  effects 
that  the  loss  of  information  or  capabilities  of  a  system  would  have  on  national  security  and  using  the  analysis  as  a  basis 
for  identifying  appropriate  and  cost-effective  countermeasures. 

Security  guard/filter 

IS  trusted  subsystem  that  enforces  security  policy  on  the  data  that  passes  through  it. 

Security  test  and  evaluation 

Examination  and  analysis  of  the  safeguards  required  to  protect  an  IS,  as  they  have  been  applied  in  an  operational 
environment,  to  determine  the  security  posture  of  the  system. 

Sensitive  but  unclassified  (obsolete  term) 

An  obsolete  term  (in  DOD)  that  has  been  replaced  by  sensitive  information  (see  below). 

Sensitive  information 

Any  information  the  loss,  misuse,  or  unauthorized  access  to  or  modification  of  which  could  adversely  affect  the 
national  interest  or  the  conduct  of  Federal  programs,  or  the  privacy  to  which  individuals  are  entitled  under  5  USC  552a 
(The  Privacy  Act),  but  which  has  not  been  specifically  authorized  under  criteria  established  by  executive  order  or  an 
Act  of  Congress  to  be  kept  secret  in  the  interest  of  national  defense  or  foreign  policy.  Sensitive  information  includes 
information  in  routine  DOD  payroll,  finance,  logistics,  and  personnel  management  systems.  Examples  of  sensitive 
information  include,  but  are  not  limited  to,  the  following  categories: 

a.  FOUO,  in  accordance  with  DOD  5400.7-R,  is  information  that  may  be  withheld  from  mandatory  public  disclo¬ 
sure  under  the  FOIA. 

b.  Unclassified  technical  data  is  data  related  to  military  or  dual-use  technology  that  is  subject  to  approval,  licenses, 
or  authorization  under  the  Arms  Export  Control  Act  and  withheld  from  public  disclosure  in  accordance  with  DOD 
5230.25. 

c.  Department  of  State  (DOS)  sensitive  but  unclassified  (SBU)  is  information  originating  from  the  DOS  that  has 
been  determined  to  be  SBU  under  appropriate  DOS  information  security  polices. 

d.  Foreign  government  information  is  information  originating  from  a  foreign  government  that  is  not  classified 
CONFIDENTIAL  or  higher  but  must  be  protected  in  accordance  with  DOD  5200. 1-R. 

e.  Privacy  data  is  personal  and  private  information  (for  example,  individual  medical  information,  home  address  and 
telephone  number,  social  security  number)  as  defined  in  the  Privacy  Act  of  1974. 

Social  engineering 

Term  used  among  crackers  and  security  professionals  for  cracking  techniques  that  rely  on  weaknesses  in  process  rather 
than  software;  the  aim  is  to  trick  people  into  revealing  passwords  or  other  information  that  compromises  a  target 
system’s  security.  Classic  scams  include  phoning  up  a  user  or  helpdesk  who  has  the  required  information  and  posing  as 
a  field  service  tech  or  a  fellow  employee  with  an  urgent  access  problem. 

SPAM 

Unsolicited  e-mail  received  on  or  from  a  network,  usually  the  Internet,  in  the  form  of  bulk  mail  obtained  from  e-mail 
distribution  lists  or  discussion  group  lists. 

Stand-alone  information  system 

An  IS  that  is  physically,  electronically,  and  electrically  isolated  from  all  other  IS. 

Survivability 

The  ability  of  a  computer  communication  system-based  application  to  satisfy  and  to  continue  to  satisfy  certain  critical 
requirements  (for  example,  specific  requirements  for  security,  reliability,  real-time  responsiveness,  and  correctness)  in 
the  face  of  adverse  conditions. 

Susceptibility 

Technical  characteristics  describing  inherent  limitations  of  a  system  that  have  potential  for  exploitation  by  the  enemy. 
System 

The  entire  computer  system,  including  input/output  devices,  the  supervisor  program  or  operating  system,  and  other 
included  software. 

System  administrator 

A  system  administrator  (SA),  or  sysadmin,  is  a  privileged-level  individual  employed  or  authorized  to  maintain  and 
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operate  a  computer  system  or  network.  Individual  responsible  for  the  installation  and  maintenance  of  an  information 
system,  providing  effective  information  system  utilization,  adequate  security  parameters,  and  sound  implementation  of 
established  information  assurance  policy  and  procedures.  (CNSS  Instruction  No.  4009) 

System  audit 

The  process  of  auditing  and  spot  checking  to  verify  secure  operation  of  a  system  and  its  support  software.  If 
irregularities  are  discovered,  the  audit  process  includes  analysis  and  identification  of  the  problem,  performing  correc¬ 
tive  actions  necessary  to  resolve  the  situation,  tracking  open  items  actively,  and  briefing  management  on  identified 
security  deficiencies. 

System  of  systems 

A  total  network  made  up  of  all  the  interconnected  computer  systems,  communication  systems,  and  network  components 
within  some  logical  boundary.  (Replaced  with  the  term  enclave.) 

System  owner 

The  Government  civilian  or  military  person  or  organization  responsible  for  introduction  or  operation  of  an  IS  used  by 
or  in  support  of  the  Army.  The  SO  is  responsible  for  ensuring  the  security  of  the  IS  as  long  as  it  remains  in  Army 
inventory,  or  until  transferred  (temporarily  or  permanently)  to  another  Government  person  or  organization  and  such 
transfer  is  appropriately  documented  and  provided  as  an  artifact  to  the  accreditation  package.  If  a  contractor  provides 
IA  services  to  a  system  with  the  intent  of  meeting  some  or  all  of  the  SOs  IA  responsibilities,  the  1A  responsibilities  do 
not  shift  from  the  Government  SO  to  the  contractor.  The  Government  SO  remains  responsible  for  ensuring  that  the  IA 
services  are  provided.  The  Government  SO  may  charge  the  IAM  with  authority  to  perform  many  of  the  SO  IA  duties, 
if  appropriate;  however,  final  responsibility  will  remain  with  the  SO.  The  SO  could  be  a  product,  program  or  project 
manager,  a  staff  or  command  element  that  purchases  or  develops  IT  equipment  and  systems,  a  DOIM  or  anyone  else 
who  is  responsible  for  an  IS.  The  SO  is  responsible  for  ensuring  that  all  IA  requirements  are  identified  and  included  in 
the  design,  acquisition,  installation,  operation,  maintenance,  upgrade  or  replacement  of  all  DA  IS  in  accordance  with 
DODD  8500.1. 

Terminal  Access  Controller  Access  System 

A  system  developed  by  the  Defense  Data  Network  community  to  control  access  to  its  terminal  access  controllers. 

Technical  vulnerability 

A  hardware,  firmware,  communication,  or  software  weakness  that  leaves  a  computer  processing  system  open  for 
potential  exploitation  or  damage,  either  externally  or  internally,  resulting  in  risk  for  the  owner,  user,  or  manager  of  the 
system. 

Telecommunications 

Preparation,  transmission,  communication,  or  related  processing  of  information  (writing,  images,  sounds,  or  other  data) 
by  electrical,  electromagnetic,  electromechanical,  electro-optical,  or  electronic  means. 

Telecommunications  and  information  systems  security 

Protection  afforded  to  telecommunications  and  information  systems  to  prevent  exploitation  through  interception, 
unauthorized  electronic  access,  or  related  technical  intelligence  threats  and  to  ensure  authenticity.  Note:  Such  protection 
results  from  the  application  of  security  measures  (including  cryptosecurity,  transmission  security,  emission  security, 
and  computer  security)  to  systems  that  generate,  store,  process,  transfer,  or  communicate  information  of  use  to  an 
adversary,  and  also  includes  the  physical  protection  of  technical  security  materiel  and  technical  security  information. 

Telecommunications  system 

Any  system  that  transmits,  receives,  or  otherwise  communicates  information  by  electrical,  electromagnetic,  electro¬ 
mechanical,  or  electro-optical  means.  A  telecommunications  system  may  include  features  normally  associated  with 
computers,  in  which  case  it  must  also  meet  the  requirements  for  an  IS. 

Telnet 

A  terminal  emulation  program  for  TCP/IP  networks  such  as  the  Internet.  Telnet  is  a  common  way  to  remotely  control 
Web  servers. 

Terminal 

Any  device  that  is  used  to  access  an  IS,  including  “dumb”  terminals  (which  only  function  to  access  an  IS),  as  well  as 
personal  computers  or  other  sophisticated  ISs  that  may  access  other  ISs  as  one  of  their  functions. 
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Threat 


Capabilities,  intentions,  and  attack  methods  of  adversaries  to  exploit,  damage,  or  alter  information  or  an  information 
system.  Also,  any  circumstance  or  event  with  the  potential  to  cause  harm  to  information  or  an  information  system.  Any 
circumstance  or  event  with  the  potential  to  adversely  impact  an  information  system  through  unauthorized  access, 
destruction,  disclosure,  modification  of  data,  and/or  denial  of  service  (see  CNSS  Instruction  No.  4009). 

Threat  agent 

A  means  or  method  used  to  exploit  a  vulnerability  in  a  system,  operation,  or  facility. 

Threat  analyst 

Designated  member  of  the  intelligence  staff  of  the  supported  command  of  the  DAA  who  will  provide  the  interface  on 
behalf  of  DA  with  the  DOD  Intelligence  Community,  the  G2,  NETCOM/9th  SC  (A),  and  the  intelligence  component  of 
the  1st  Information  Operations  Command  (Land)  to  document  foreign  threats  regarding  computer  network  attack 
(CNA)  and  computer  network  exploitation  (CNE)  or  other  non-technical  threats. 

Time  bomb  and  logic  bomb 

Malicious  code  that  can  be  triggered  by  a  specific  event  or  recur  at  a  given  time.  A  logic  bomb  is  triggered  by  an  event 
instead  of  a  specific  time.  One  example  of  a  logic  bomb  would  be  a  set  of  programmed  instructions  to  search  a 
company’s  payroll  files,  checking  for  the  presence  of  the  programmer’s  name.  Once  the  programmer  ceases  employ¬ 
ment,  the  logic  bomb  is  triggered  to  cause  damage  to  data  or  software. 

Trapdoor 

A  hidden  software  program  (potentially  embedded  into  the  hardware  or  firmware)  mechanism  that  causes  system 
protection  mechanisms  to  be  bypassed.  The  code  can  be  hidden  in  the  logon  sequence  where  users  are  asked  to  input 
their  user  IDs  and  then  passwords.  In  normal  circumstances,  the  input  passwords  are  checked  against  stored  values 
corresponding  to  the  user  ID;  if  the  passwords  are  valid,  logon  proceeds.  The  trapdoor  software  would  check  for  a 
specific  user  ID,  and  whenever  that  user  ID  is  checked,  it  bypasses  the  password  checking  routine  and  authorizes 
immediate  logon.  Trapdoors  are  sometimes  built  into  development  systems  by  programmers  to  avoid  the  lengthy  logon 
procedure. 

Trivial  file  transfer  protocol 

A  simple  form  of  the  File  transfer  protocol  (FTP).  TFTP  uses  the  user  datagram  protocol  (UDP),  a  connection-less 
protocol  that,  like  TCP,  runs  on  top  of  IP  networks.  It  is  used  primarily  for  broadcasting  messages  over  a  network  and 
provides  no  security  features.  It  is  often  used  by  servers  to  boot  diskless  workstations,  X-terminals,  and  routers. 


Trojan  horse 


A  non-replicating  program  that  appears  to  be  legitimate,  but  is  designed  to  have  destructive  effects  on  data  residing  in 
the  computer  onto  which  the  program  was  loaded.  These  programs  can  perform  various  malicious  activities,  such  as 
deleting  files,  changing  system  settings,  allowing  unauthorized  remote  access,  and  running  malicious  programs  result¬ 
ing  in  destruction  or  manipulation  of  data.  Trojan  horses  require  user  intervention  to  propagate  and  install  such  as 
opening  an  e-mail  attachment. 

User 

Person  or  process  accessing  an  IS  by  direct  connections  (for  example,  via  terminals)  or  indirect  connections. 

User  ID 

Unique  symbol  or  character  string  that  is  used  by  an  IS  to  uniquely  identify  a  specific  user. 

Virtual  private  network 

A  private  data  network  that  makes  use  of  the  public  telecommunication  infrastructure,  maintaining  privacy  through  the 
use  of  a  tunneling  protocol  and  security  procedures. 


Virus 


A  small  program  written  to  alter  the  way  a  computer  operates  without  the  permission  or  knowledge  of  the  user.  A  virus 
is  self  replicating  with  a  potentially  malicious  program  segment  that  attaches  or  injects  itself  into  an  application 
program  or  other  executable  system  component  and  leaves  no  external  signs  of  its  presence,  and  usually  programmed 
to  damage  system  programs,  delete  files,  create  a  denial  of  service,  or  reformat  the  hard  disk. 
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Vulnerability 

Weakness  in  an  information  system,  cryptographic  system,  or  components  of  either  (for  example,  system  security 
procedures,  hardware  design,  internal  controls)  that  could  be  exploited. 

Vulnerability  assessment 

Systematic  examination  of  an  IS  or  product  to  determine  the  adequacy  of  security  measures,  identify  security 
deficiencies,  provide  data  from  which  to  predict  the  effectiveness  of  proposed  security  measures,  and  confirm  the 
adequacy  of  such  measures  after  implementation. 

Warning  banner 

A  warning  banner  is  verbiage  that  a  user  sees  or  is  referred  to  at  the  point  of  access  to  a  system  which  sets  the  right 
expectations  for  users  regarding  acceptable  use  of  a  computer  system  and  its  resources,  data,  and  network  access 
capabilities.  These  expectations  include  notice  of  authorized  monitoring  of  users’  activities  while  they  are  using  the 
system,  and  warnings  of  legal  sanctions  should  the  authorized  monitoring  reveal  evidence  of  illegal  activities  or  a 
violation  of  security  policy. 

Wide  area  network 

A  WAN  covers  a  wider  geographic  area  than  a  LAN,  is  an  integrated  voice  or  data  network,  often  uses  common  carrier 
lines  for  the  interconnection  of  its  LANs,  and  consists  of  nodes  connected  over  point-to-point  channels.  Commercial 
examples  are  Internet  and  public  data.  Government  examples  are  NIPRNET  and  S1PRNET. 

World  Wide  Web 

The  universe  of  accessible  information  available  on  many  computers  spread  through  the  world  and  attached  to  that 
gigantic  computer  network  called  the  Internet.  The  Web  encompasses  a  body  of  software,  a  set  of  protocols,  and  a  set 
of  defined  conventions  for  accessing  the  information  on  the  Web.  The  Web  uses  hypertext  and  multimedia  techniques 
to  make  the  Web  easy  for  anyone  to  roam,  browse,  and  contribute  to.  The  Web  makes  publishing  information  (that  is, 
making  that  information  public)  as  easy  as  creating  a  “homepage”  and  posting  it  on  a  server  somewhere  in  the  Internet. 
Also  called  WEB  or  W3. 

Worm 

An  independent  program  that  replicates  itself  by  copying  from  one  system  to  another,  usually  over  a  network  without 
the  use  of  a  host  file.  Like  a  virus,  a  worm  may  damage  data  directly,  or  it  may  degrade  system  performance  by 
consuming  system  resources  or  even  shutting  a  network  down,  but,  in  contrast  to  viruses,  does  not  require  the 
spreading  of  an  infected  host  file.  Usually  the  worm  will  release  a  document  that  already  has  the  “worm”  macro  inside 
the  document. 

Section  III 

Special  Abbreviations  and  Terms 

This  section  contains  no  entries. 
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071623Z  MAR  08  PORTICO 

FM  PORTICO  WASHINGTON  DC/ /REPLY  TO  FIRST  INFO  ADDRESSEE// 

TO  DIA  WASHINGTON  DC 

INFO  DIRNAVCRIMINVSERV  WASHINGTON  DC//NCISMTAC// 

PORTICO  WASHINGTON  DC 

ALCOM  J2  ELMENDORF  AFB  AK//J2C// 

CDR  USEUCOM  INTEL  VAIHINGEN  GE//ECJ2/ECJ23-CI// 

CDR  USJFCOM  NORFOLK  VA//J2CI// 

CDR  USNORTHCOM/ / J24-CISO/ / 

CDR  USSOUTHCOM  MIAMI  FL//J2// 

CDRINSCOM  FT  BELVOIR  VA 
CIA  WASHINGTON  DC//CIC// 

COMBINED  INTEL  AND  FUSION  CTR  PETERSON  AFB  CO// J22M/HSE// 

COMUSJAPAN  YOKOTA  AB  JA// J2CI/J2C/J2D// 

COMUSKOREA  INTEL  SEOUL  KOR//FKJ2// 

COMUSKOREA  INTEL  SEOUL  KOR//FKJ2/FKJ2-IS-H/HSE/FKJ2-CM-H// 

DEPT  OF  HOMELAND  SECURITY  IA  WASHINGTON  DC//IA-R// 

FBI  WASHINGTON  DC//NSD-1// 

HQ  USSOUTHCOM  J2  MIAMI  FL//SCJ2-CISO// 

JAC  MOLESWORTH  RAF  MOLESWORTH  UK//DOX// 

JICPAC  HONOLULU  HI//OPS/OIX// 

NASIC  WRIGHT  PATTERSON  AFB  OH//DEKR/DEKA// 

NRO  WASHINGTON  DC//CI /NROC/ / 

ONI  WASHINGTON  DC//ONI-243/CAC// 

SAFE  WASHINGTON  DC 

USSTRATCOM  INTEL  DIRECTORATE  OFFUTT  AFB 
NE//OP24/OP322/CS551/OP212/HSE  // 

USSTRATCOM  OFFUTT  AFB  NE//J2/J221// 

SERIAL:  (U)  HR  5  391  0014  08. 

COUNTRY:  (U)  AFGHANISTAN  (AF) ;  AUSTRALIA  (AS);  AUSTRIA  ( AU ) ;  BELGIUM 
(BE);  BRITISH  VIRGIN  ISLANDS  (VI);  CANADA  (CA) ;  CHILE  (Cl);  CHINA 
(CH);  CHRISTMAS  ISLAND  (KT) ;  CUBA  (CU);  DJIBOUTI  (DJ);  EAST  TIMOR 

(TT) ;  GERMANY  (GM) ;  HONG  KONG  (HK) ;  INDIA  (IN);  IRAQ  ( I Z ) ;  ISRAEL 
(IS);  ITALY  (IT);  JAPAN  (JA);  KENYA  (KE);  KYRGYZSTAN  (KG);  LAOS 
(LA);  LATVIA  (LG);  LITHUANIA  (LH) ;  MONTSERRAT  (MH) ;  NETHERLANDS 
(NL);  NEW  ZEALAND  (NZ);  NIUE  (NE) ;  NORWAY  (NO);  PORTUGAL  (PO); 
ROMANIA  (RO) ;  RUSSIA  (RS) ;  SAMOA  (WS) ;  SLOVAKIA  (LO) ;  SLOVENIA  (SI); 
SOUTH  AFRICA  (SF) ;  SPAIN  (SP) ;  SWEDEN  (SW) ;  SWITZERLAND  (SZ);  TAIWAN 
(TW);  TONGA  (TN) ;  TURKMENISTAN  (TX) ;  UKRAINE  (UP);  UNITED  KINGDOM 

(UK) ;  UNITED  STATES  OF  AMERICA  (US);  VANUATU  (NH) . 

IPSP:  (U)  IFC2320;  IFC2440. 

SUBJ :  IIR  5  391  0014  08/INTERNET  WEB  POSTINGS  OF  CLASSIFIED  AND  FOR 
OFFICIAL  USE  ONLY  DOCUMENTS  (U//FOUO) 


WARNING:  (U)  THIS  IS  AN  INFORMATION  REPORT,  NOT  FINALLY  EVALUATED 
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DOI :  (U)  20080307. 

REQS :  (U)  NCIS-CI-CE-002-2008;  D-INT-1580-003-07 . 

SOURCE:  (U//FOUO)  //MEMBER,  NCIS//. 

SUMMARY:  (U//FOUO)  WEBSITE  WIKILEAKS.ORG  AND  NUMEROUS  OTHER  WEBSITES 
THAT  MIRROR  CONTENT  CONTAIN  COPIES  OF  MULTIPLE  CLASSIFIED  AND  FOR 
OFFICIAL  USE  ONLY  (FOUO)  DOCUMENTS. 

TEXT:  1.  (U//FOUO)  BEGINNING  IN  DEC06,  A  PUBLIC  WEBSITE  NAMED 

WIKILEAKS.ORG  WAS  ESTABLISHED  TO  ENCOURAGE  THE  ANONYMOUS  POSTING  OF 
SENSITIVE  GOVERNMENT  AND  CORPORATE  DOCUMENTS.  WIKILEAKS 
SELF-DESCRIBES  AS  (QUOTE)  AN  UNCENSORABLE  WIKIPEDIA  FOR  UNTRACEABLE 
MASS  DOCUMENT  LEAKING  AND  ANALYSIS  (UNQUOTE) .  WIKILEAKS  FURTHER 
STATES  IT'S  (QUOTE)  PRIMARY  INTEREST  IS  IN  EXPOSING  OPPRESSIVE 
REGIMES  IN  ASIA,  THE  FORMER  SOVIET  BLOC,  SUB-SAHARAN  AFRICA  AND  THE 
MIDDLE  EAST,  BUT  WE  ALSO  EXPECT  TO  BE  OF  ASSISTANCE  TO  PEOPLE  OF  ALL 
REGIONS  WHO  WISH  TO  REVEAL  UNETHICAL  BEHAVIOR  IN  THEIR  GOVERNMENTS 
AND  CORPORATIONS  (UNQUOTE) . 

2.  (U/ /FOUO)  WIKILEAKS  WEB  SITE  STATES  (QUOTE)  WIKILEAKS  WAS 
FOUNDED  BY  CHINESE  DISSIDENTS,  JOURNALISTS,  MATHEMATICIANS  AND 
STARTUP  COMPANY  TECHNOLOGISTS,  FROM  THE  US,  TAIWAN,  EUROPE, 

AUSTRALIA  AND  SOUTH  AFRICA  (UNQUOTE). 

3.  (U/ /FOUO)  WIKILEAKS  SUBMISSION  GUIDE  STATES  IT  (QUOTE)  ACCEPTS 
CLASSIFIED,  CENSORED  OR  OTHERWISE  RESTRICTED  MATERIAL  OF  POLITICAL, 
DIPLOMATIC  OR  ETHICAL  SIGNIFICANCE  (UNQUOTE).  THE  WEBSITE  PROVIDES 
SUGGESTIONS  FOR  THE  ANONYMOUS  SUBMISSION  OF  MATERIAL  AND  SEVERAL 
METHODS  OF  SUBMITTING  MATERIAL  FOR  INCLUSION  TO  AN  ONLINE  DATABASE. 
METHODS  INCLUDE  SUBMISSION  VIA  SECURE  UPLOAD,  EMAIL,  AND  VIA 
DISCREET  POSTAL  NETWORK. 

4.  (U//FOUO)  SINCE  DEC06,  NUMEROUS  CLASSIFIED  AND  FOUO  DOCUMENTS 
HAVE  BEEN  POSTED  AND  CONTINUE  TO  BE  AVAILABLE  ON  WIKILEAKS.ORG  SITE 
AND  IT'S  MIRRORS.  SOME  OF  THESE  POSTINGS  HAVE  GARNERED  THE 
ATTENTION  OF  MAJOR  NEWS  MEDIA  OUTLETS,  YET  INTELLIGENCE  REPORTING 
HAS  LARGELY  IGNORED  THESE  LEAKS.  THIS  REPORT  IS  BEING  ISSUED  IN  AN 
ATTEMPT  TO  RAISE  THE  AWARENESS  OF  THIS  THREAT.  SOME  OF  THE 
DOCUMENTS  DISCOVERED  ON  THE  WIKILEAKS  WEBSITES  ARE  LISTED  BELOW: 

A.  (U//FOUO)  DHS/FEMA  BRIEF  ENTITLED  (QUOTE)  SPACE  OBJECT  RE-ENTRY, 
STATE  LEADERSHIP  BRIEFING,  DHS/FEMA  REGION  IX  (UNQUOTE),  DATED 
19FEB08 ,  MARKED  FOUO.  THE  BRIEF  DISCUSSES  THE  PLANNED  SHOOT-DOWN  OF 
A  SATELLITE  DESIGNATED  US193  IN  ORDER  TO  PREVENT  HYDRAZINE  FUEL  FROM 
ENDANGERING  HUMAN  LIVES. 

B.  (U/ /FOUO)  FBI  INTELLIGENCE  BULLETIN  ISSUED  BY  THE 
COUNTERTERRORISM  DIVISION  ENTITLED  (QUOTE)  END  OF  RAMADAN  SECURITY 
AWARENESS  (UNQUOTE),  DATED  19OCT06,  MARKED  UNCLASSI FIED//FOUO .  THE 
BULLETIN  ADDRESSES  THE  QUESTION  OF  THE  POSSIBILITY  OF  TERRORIST 
ATTACKS  TO  COINCIDE  WITH  RAMADAN. 

C.  DRAFT  DOCUMENT  ENTITLED  (QUOTE)  COMCFC-A  ASSESSMENT 
AND  ESTIMATE  FOR  TRANSFER  OF  DETAINEE  OPERATIONS  TO  THE  GOA 
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(UNQUOTE);  UNDATED  BUT  STATES  IT  IS  IN  RESPONSE  TO  (QUOTE)  CENTCOM 
PLANORD,  DATED  28FEB05  (UNQUOTE),  MARKED  SECRET/ /REL  GCTF.  THE 
DOCUMENT  IS  A  PROPOSED  RESPONSE  TO  A  CENTCOM  PLANORD  AND  ANALYZES 
THE  GOVERNMENT  OF  AFGHANISTAN'S  ABILITY  TO  MANAGE  A  DETAINEE  PROGRAM. 

D.  NGIC  ASSESSMENT  ENTITLED  (QUOTE)  COMPLEX  ENVIRONMENTS: 
BATTLE  OF  FALLUJAH  I,  APRIL  2004  (UNQUOTE),  MARKED 

SECRET/ /NOFORN//20310306 .  THE  ASSESSMENT  CONTAINS  SEVERAL 
PARAGRAPHS  OF  CLASSIFIED  INFORMATION  AS  WELL  AS  TACTICAL  MAPS  AND 
PHOTOGRAPHS. 

E.  AERIAL  PHOTOGRAPH  ENTITLED  (QUOTE)  ABU  GHURAYB  PRISON 
(UNQUOTE),  WITH  WHAT  APPEARS  TO  BE  AN  82ND  AIRBORNE  DIVISION 
INSIGNIA,  DATED  04SEP03,  MARKED  SECRET/NOFORN//MR. 

F.  m  CJTF180-SJA  PAPER  WITH  SUBJECT  LINE  (QUOTE)  SECDEF  DETENTION 
CRITERIA  (UNQUOTE),  DATED  20APR03,  MARKED  SECRET.  THE  DOCUMENT  AIMS 
(QUOTE)  TO  CLARIFY  THE  SECDEF'S  DETENTION  CRITERIA  FOR  BATTLEFIELD 
DETENTION  AND  LONG-TERM  DETENTION  AT  GTMO  (UNQUOTE) . 

G.  DOCUMENT  ENTITLED  (QUOTE)  ANNEX  E 
(CONSOLIDATED  ROE)  TO  3-187  FRAGO  02,  OPORD  02-005  (UNQUOTE),  MARKED 
SECRET/ /REL  TO  USA,  IRQ,  MCFI//20151003  DISPLAY  ONLY  TO  IRQ.  THE 
DOCUMENT  (QUOTE)  ESTABLISHES  THE  RULES  OF  ENGAGMENT  (ROE)  FOR  ALL 
FORCES  UNDER  THE  CONTROL  OF  MULTI-NATIONAL  DIVISION  -  BAGHDAD 
(UNQUOTE) . 

H.  (U//FOUO)  DRAFT  DOCUMENT  ENTITLED  (QUOTE)  DETAINEE  OPERATIONS  IN 
A  JOINT  ENVIRONMENT,  DETAINEE  OPS,  MULTI-SERVICE  TACTICS,  TECHNIQUES 
AND  PROCEDURES  (MTTP)  PACKAGE  (UNQUOTE),  DATED  MARCH  2004,  MARKED 
(QUOTE)  DISTRIBUTION  RESTRICTION:  DISTRIBUTION  AUTHORIZED  TO  DOD 
AND  DOD  CONTRACTORS  ONLY  TO  PROTECT  TECHNICAL  OR  OPERATIONAL 
INFORMATION  FROM  AUTOMATIC  DISSEMINATION  UNDER  THE  INTERNATIONAL 
EXCHANGE  PROGRAM  OR  BY  OTHER  MEANS  (UNQUOTE),  (QUOTE)  DESTRUCTION 
NOTICE:  DESTROY  BY  ANY  MEANS  THAT  WILL  PREVENT  DISCLOSURE  OF  THE 
DOCUMENT  (UNQUOTE) .  THE  DOCUMENT  CONTENTS  ARE  SUMMARIZED  IT  THE 
ABOVE  STATED  TITLE. 

I.  (U//FOUO)  DOCUMENT  ENTITLED  (QUOTE)  CAMP  DELTA  STANDARD  OPERATING 
PROCEDURES  (SOP)  (UNQUOTE),  DATED  28MAR03,  MARKED  U//FOUO.  THE 
DOCUMENT  DISCUSSES  SOP  FOR  CAMP  DELTA,  GUANTANAMO  BAY,  CUBA. 

5.  (U//FOUO)  A  LIST  OF  WIKILEAKS  MIRRORED  SITES,  REFERRED  TO  AS 
(QUOTE)  COVER  NAMES  (UNQUOTE)  WERE  RETRIEVED  FROM 
HTTPS://WIKILEAKS.BE/WIKI/WIKILEAKS:COVER_NAMES  ON  04MAR08.  THE 
MIRROR  SITES  LISTED  ARE  REPORTED  TO  BE  ACCESSIBLE  WHEN  PREFACED  WITH 
HTTP: //(QUOTE)  SITENAME  (UNQUOTE)  FOR  UNSECURE  CONNECTIONS  OR 
HTTPS: //SECURE  (QUOTE)  SITENAME  (UNQUOTE)  FOR  ENCRYPTED  SECURE 
CONNECTIONS.  A  LIST  OF  THESE  MIRROR  SITES  ARE  LISTED  BELOW: 

a.  (u)  bratislava.iypt.sk 

b.  (u>  bucharest.roxi.ro 

C.  (U)  CAT. NIGHT. CAT 

D.  (U)  DESTINY.MOOO.COM 

E.  (U)  DESTINY. UK. TO 

F.  (U)  DUSK.DARK.RO 

G.  (U)  FREEDOMSBELL.COM 
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H.  (U)  FREEDOMSBELL.ORG 

I.  (U)  FREEDOMSPEN.COM 

J.  (U)  FREEDOMSPEN.ORG 

K.  (0)  GENEVA. CADY. CH 

L.  (U)  G00VE . TRACE . DJ 

M.  (U)  HARVARD . BOT . NU 

N.  (U)  HARVARD. INFO. TM 

O.  (U)  HARVARD. US. TO 

P.  (U)  HK.KEIN.HK 

Q.  (U)  HOME . E . CO . ZA 

R.  (U)  JOBURG.E.CO.ZA 

S.  (U)  JUST.APPLE.ORG.RU 

T.  (U)  JWDC.ORG 

u.  (U)  kiev.trade.org.ua 

V.  (U)  kyoto.maidlab.jp 

W.  (U)  LIBERTYPEN.ORG 

X.  (U)  LISBON.LOG.PT 

Y.  (U)  LJSF.ORG 

Z.  (U)  LJUBLJANA. THOR. SI 

AA.  (U)  LONDON.EDU. MS 

AB.  (U)  MILAN.UNDO.IT 

AC.  (U)  MOSCOW.IRC.SU 

AD.  (U)  MOSCOW.RADIO.SU 

AE.  (U)  M0SKVA.7X.RU 

AF.  (U)  MOSKVA.APPLE.ORG.RU 

AG.  (U)  MOSKVA.ORTS.RU 

AH.  (U)  MOSKVA.RADIO.SU 

AI.  (U)  NEW.l.VG 

AJ.  (U)  NEW. ALAIN. CO. ZA 

AK.  (U)  NEW.EMULE.LV 

AL.  (U)  NEW.FIRENET.COM.RU 

AM.  (U)  NEW. HOME. KG 

AN.  (U)  NEW. ILEX. CL 

AO.  (U)  NEW . IT . CX 

AP.  (U)  NEW.IYPT.SK 

AQ.  (U)  NEW. SHOP. TM 

AR.  (U)  NEW.SPACETECHNOLOGY.NET 

AS.  (U)  NEW. THOR. SI 

AT.  (U)  NEW.WEBMAIL.IL 

AU.  (U)  NEW.ZZZ.BE 

AV.  (U)  OSLO.CVD.NO 

AW.  (U)  PIRATE.RADIO.SU 
ax.  (U)  quality.ganja.nl 

AY.  (U)  RIGA.AX.LT 

AZ.  (U)  SALZBERG. TRIVIA. AT 

BA.  (U)  SMOKE.GANJA.NL 

BB.  (U)  SPECIAL. K.VU 

BC.  (U)  STOCKHOLM.DIVX.SE 

BD.  (U)  SUNSHINEPRESS.ORG 

BE.  (U)  SYDNEY.ATDR.ORG.AU 

BF.  (U)  TALAVIV.BORN.IL 

BG.  (U)  VIENNA. NERD. AT 

BH.  (U)  WIKILEAKS.BE 

BI.  (U)  WIKILEAKS. CH 

BJ.  (U)  WIKILEAKS.CN 

BK.  (U)  WIKILEAKS. CX 

BL.  (U)  WIKILEAKS.DE 
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BM.  (U)  WIKILEAKS.ES 

BN.  (U)  WIKILEAKS. EU 

BO.  (U)  WIKILEAKS. IN 

BP.  (U)  WIKILEAKS. INFO 

BQ.  (U)  WIKILEAKS.JP 

BR.  (U)  WIKILEAKS. LA 

BS.  (U)  WIKILEAKS. ORG.NZ 

BT.  (U)  WIKILEAKS.ORG.UK 

BU.  (US  WIKILEAKS. TL 

BV.  (U)  WIKILEAKS. WS 

BW.  (U)  ZURICH. BASE-V.CH 

6.  (U//FOUO)  THE  WIKILEAKS.ORG  SITE  IS  PRESENTLY  INVOLVED  IN  ONGOING 
LEGAL  CHALLENGES.  A  FEDERAL  DISTRICT  COURT  ISSUED  A  PERMANENT 
INJUNCTION  TO  CLOSE  THE  PUBLIC  WEB  SITE  WIKILEAKS.ORG  ON  18FEB08, 

BUT  REVERSED  ITSELF  ON  29FEB08.  THE  DATA  CONTINUED  TO  REMAIN 
ACCESSIBLE  FROM  THE  MULTIPLE  MIRRORED  SITES. 

7.  (U//FOUO)  IT  APPEARS  THAT  MANY  OF  THE  SENSITIVE  DOCUMENTS  HAVE 
BEEN  POSTED  USING  A  USER  ACCOUNT  NAMED  PERYTON.  A  PERYTON  IS  A 
MYTHICAL  CREATURE  COMMON  IN  DUNGEONS  AND  DRAGONS  STYLED  GAMES  AND 
FANTASY  LITERATURE.  IT  IS  OFTEN  DESCRIBED  AS  A  MIX  OF  A  GIANT  EAGLE 
AND  A  STAG  WHO  SURVIVES  BY  FEASTING  ON  THE  HEARTS  OF  ITS  VICTIMS. 

COMMENTS:  1.  FIELD  COMMENTS:  (U/FOUO)  QUESTIONS  CONCERNING  THIS  HR 
CAN  BE  DIRECTED  TO  NCIS  HQ  CODE  24D2  AT  COMMERCIAL  (202)  433-6767  OR 
DSN  288-6767.  EMAIL  INQUIRIES  CAN  BE  MADE  TO 
OACANALYST@NCISMAIL.NCIS.NAVY.SMIL.MIL.  NCIS  CYBER  DEPARTMENT 
PRODUCTS  ARE  AVAILABLE  AT 

HTTP : //CYBER. NCIS . NAVY . SMIL . MIL/CYBER/HOME . DO . 

INSTR:  (U//FOUO)  U.S.  NO. 

PREP:  (U)  5-HQ-2758. 

ACQ:  (U)  WASHINGTON,  DC  (20080307)  . 

DISSEM:  (U)  FIELD  —  NONE. 
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251288 

2010-03-01  00:25 

10ASTANA281 

Embassy  Astana 

UNCLASSIFIED//FOR  OFFICIAL  USE  ONLY 

251289 

2010-03-01  00:27 

10ASTANA282 

Embassy  Astana 

UNCLASSIFIED//FOR  OFFICIAL  USE  ONLY 

251290 

2010-03-01 00:36 

10SANTIAG0270 

Embassy  Santiago 

UNCLASSIFIED 

251291 

2010-03-01  00:53 

10BISHKEK194 

Embassy  Bishkek 

UNCLASSIFIED//FOR  OFFICIAL  USE  ONLY 

251292 

2010-03-01  00:57 

10SEOUL324 

Embassy  Seoul 

UNCLASSIFIED 

251293 

2010-03-01  01:22 

10ASTANA283 

Embassy  Astana 

UNCLASSIFIED 

251294  2010-03-0101:46 

10STATE18658 

Secretary  of  State 

UNCLASSIFIED//FOR  OFFICIAL  USE  ONLY 

251295 

2010-03-01  01:59 

10TOKYO398 

Embassy  Tokyo 

UNCLASSIFIED 

251296 

2010-03-01  02:23 

10CANBERRA145 

Embassy  Canberra 

CONFIDENTIAL//NOFORN 

251297 

2010-03-01  03:01 

10TOKYO399 

Embassy  Tokyo 

UNCLASSIFIED 

251298 

2010-03-01  03:05 

10KUALALUMPUR132 

Embassy  Kuala  Lumpur 

CONFIDENTIAL 

251299 

2010-03-01 03:32 

10ASHGABAT252 

Embassy  Ashgabat 

UNCLASSIFIED 

251300 

2010-03-01  03:33 

10ASHGABAT253 

Embassy  Ashgabat 

UNCLASSIFIED//FOR  OFFICIAL  USE  ONLY 

251301 

2010-03-01  03:51 

10CANBERRA147 

Embassy  Canberra 

CONFIDENTIAL//NOFORN 

251302 

2010-03-01  03:53 

10CANBERRA148 

Embassy  Canberra 

UNCLASSIFIED//FOR  OFFICIAL  USE  ONLY 

251303 

2010-03-01  03:55 

10TAIPEI206 

American  Institute  Taiwan,  Taipei 

UNCLASSIFIED//FOR  OFFICIAL  USE  ONLY 

251304 

2010-03-01 03:57 

10ASTANA284 

Embassy  Astana 

SECRET 

251305 

2010-03-01  04:01 

10JAKARTA259 

Embassy  Jakarta 

UNCLASSIFIED 

251306 

2010-03-01  04:08 

10KABUL728 

Embassy  Kabul 

SECRET 

251307 

2010-03-01  05:14 

10NAIROBI480 

Embassy  Nairobi 

UNCLASSIFIED 

251308 

2010-03-01 05:17 

10ANKARA317 

Embassy  Ankara 

UNCLASSIFIED//FOR  OFFICIAL  USE  ONLY 

25130° 

2010-03-0105:30 

10BISHKEK196 

Embassy  Bishkek 

CONFIDENTIAL 

251310 

2010-03-01  05:53 

10CANBERRA150 

Embassy  Canberra 

UNCLASSIFIED 

251311 

2010-03-0105:55 

10CANBERRA151 

Embassy  Canberra 

UNCLASSIFIED//FOR  OFFICIAL  USE  ONLY 

251312 

2010-03-01  06:11 

10DAMASCUS176 

Embassy  Damascus 

CONFIDENTIAL 

251313 

2010-03-01  06:17 

10BANGKOK484 

Embassy  Bangkok 

UNCLASSIFIED//FOR  OFFICIAL  USE  ONLY 

251314 

2010-03-01  06:21 

10DOHA80 

Embassy  Doha 

UNCLASSIFIED//FOR  OFFICIAL  USE  ONLY 

251315 

2010-03-0106:21 

10DUBAI31 

Consulate  Dubai 

CONFIDENTIAL 

251316 

2010-03-01 06:22 

10DOHA81 

Embassy  Doha 

UNCLASSIFIED//FOR  OFFICIAL  USE  ONLY 

251317 

2010-03-0106:24 

10CANBERRA153 

Embassy  Canberra 

UNCLASSIFIED 

251318 

2010-03-0106:45 

10BUCHAREST110 

Embassy  Bucharest 

UNCLASSIFIED//FOR  OFFICIAL  USE  ONLY 

251319 

2010-03-0106:46 

10BUCHAREST111 

Embassy  Bucharest 

UNCLASSIFIED 

251320 

2010-03-0106:46 

10HARARE188 

Embassy  Harare 

UNCLASSIFIED 

. 251321 

;  2010-03-01  06:56 

10HANOI226 

Embassy  Hanoi 

UNCLASSIFIED 
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File 

i  Created 

10ANKARA299.html 

04  May  10  01:27:11 

[J,  10A5MARA33.html 

04  May  10  02:22:33 

10ASMARA35.html 

04  May  10  02:14:21 

[J,  10BAGHDAD294.html 

04  May  10  02:03:10 

Ck  10BAGHDAD378.html 

04  May  10  01:43:30 

10BAGHDAD521.html 

04  May  10  02:03:14 

10COLOMBO65.html 

04  May  10  01:40:22 

10ISTANBUL20.html 

04  May  10  01:59:12 

10RPODUBAI37.html 

04  May  10  02:02:40 

Ck  10SANAA382.html 

04  May  10  01:31:50 

10WARSAW17.html 

04  May  10  02:01:14 

Q  backup. xlsx 

03  May  10  23:36:55 

dates, csv 

04  May  10  17:07:20 

CJ?  dates.txt 

04  May  10  17:06:13 

Ir^l  files.zip 

04  May  10  18:35:50 

move.bat 

04  May  10  17:21:36 

[i  WZ5C.tmp 

04  May  10  18:40:16 
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UNITED  STATES  OF  AMERICA 


Manning,  Bradley  E. 

PFC,  U.S.  Army, 

HHC,  U.S.  Army  Garrison, 

Joint  Base  Myer-Henderson  Hall 
Fort  My er,  Virginia  22211 


v. 


) 

) 

) 

) 

) 

) 

) 

) 

) 


STIPULATION  OF 
EXPECTED  TESTIMONY 


DATED:  i^June  2013 


Mr.  Jacob  Grant 


It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Mr.  Jacob 
Grant  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this  court-martial,  he 
would  testify  substantially  as  follows: 

1.  I  currently  serve  as  Contract  Task  Lead  for  CCJ6,  assigned  to  the  Active  Cyber  Defense 
Branch  at  U.S  Central  Command's  Headquarters  (USCENTCOM)  on  MacDill  Air  Force  Base 
(AFB)  in  Florida.  In  this  capacity,  I  am  responsible  for  conducting  various  levels  of  Cyber 
Operations  for  USCENTCOM  and  Overseas  Areas  of  Responsibility  (AOR) — including 
Computer  Network  Defense  (CND)  activities.  Computer  Network  Attack  (CNA)  planning  & 
analysis,  and  the  analysis  and  reverse  engineering  of  Computer  Network  Exploitation  (CNE) 
activities  in  order  develop  effective  countermeasures.  I  am  the  lead  for  our  “in-house”  Computer 
Emergency  Response  Team  (CERT).  In  this  capacity,  I  perform  in-depth  forensic  analysis  of 
CND  alerts,  flow  analysis,  or  interpretation  of  threat  information  to  include  security 
compromises,  network  intrusions,  and  malicious  logic  outbreaks.  I  have  held  this  position  for 
four  and  a  half  years.  At  the  time  of  my  involvement  in  this  case,  I  was  the  Senior  INFOSEC 
Analyst  with  the  Information  Assurance  (IA)  Branch  of  the  J6  USCENTCOM.  I  have  also  been 
an  IA  Watch  Officer,  a  Senior  Analyst,  and  a  Senior  Engineer.  I  served  for  two  years  as  an 
enlisted  Airman  working  in  technical  control  and  network  engineering. 

2.  I  am  a  Certified  Information  Systems  Security  Professional  (CISSP)  (2008).  I  have  a  Top 
Secret/SCI  security  clearance.  I  have  Associates  degrees  in  Electronic  Systems  Technology  and 
Avionics  Systems  Technology.  I  am  a  Cisco  Certified  Network  Associate  (CCNA)  (2003)  and  a 
CORE  Impact  Certified  Professional  (CICP)  (2013).  Some  of  the  network  security  and 
associated  training  I  have  received  includes:  McAfee  Network  Security  Platform  Administration 
(2013),  ArcSight  ESM  Use  Case  Foundations  (2012),  EnCase  Computer  Forensics  1  (2012), 
ArcSight  Logger  5.0  Administration  and  Operations  (201 1),  Basic  Malware  Analysis  Using 
Responder  Professional  (2010),  Ethical  Hacking  (2008),  McAfee  Host-Based  Security  Systems 
(2007),  Information  Technology  Service  Management  (ITSM)  (2007),  and  Cisco  Securing 
Networks  w/  PIX  &  ASA  (SNPA)  (2007). 

3.  I  became  involved  in  this  case  for  two  reasons.  From  19-20  August  2010, 1  was  involved  in 
the  collection  and  transfer  of  audit  logs  from  the  USCENTCOM  SharePoint  on  the 
USCENTCOM  SIPRNET  web  server.  At  this  time,  I  was  also  involved  in  the  identification, 
collection,  and  transfer  of  information  housed  within  that  SharePoint  site.  Our  collection 
focused  on  the  SharePoint  because  I  had  identified  it  as  the  location  of  charged  documents  based 
upon  the  SIPRNET  webpage  address  of  those  documents.  Further,  Special  Agent  (SA)  John 
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Wilbur,  with  whom  I  was  working,  was  interested  in  the  contents  of  the  USCENTCOM  JAG 
folder. 

4.  The  USCENTCOM  SharePoint  server  is  a  tool  to  create  an  internet  interface  that  allows  users 
with  access  to  the  site  on  SIPRNET  to  collaborate,  for  example,  by  sharing  files.  The  SharePoint 
itself  is  only  accessible  via  SIPRNET,  so  a  user  must  access  it  via  secure  systems.  At  that  time, 
it  was  identified  at  IP  addresses  131 .240.47.23  (for  the  SharePoint  database  cluster), 

131.240.47.6,  and  131.240.47.7  (for  the  web  portal  front  end  or  the  portion  accessible  by 
SIPRNET  users).  The  database  as  a  whole  occupied  several  terabytes  of  space.  The  server 
supporting  it,  from  which  I  pulled  the  logs  and  other  information  at  issue,  is  physically  housed  on 
virtual  machines  within  a  cluster,  in  a  data  center,  on  a  storage  area  network  (SAN).  Only 
authorized  USCENTCOM  Headquarters  J-6  personnel  are  granted  access  to  the  facility.  The 
data  center  is  protected  by  badge  access,  cipher  locks,  video  surveillance,  and  an  access  roster. 

5.  The  audit  logs  I  referenced  herein  are  Internet  Information  Systems  (IIS)  or  Windows  server 
log  files,  which  capture  the  IP  address  of  the  USCENTCOM  SharePoint  server.  The  logs  do  not 
capture  any  remote  or  external  IP  addresses.  The  logs  only  capture  the  dates  and  times 
documents  are  accessed  on  the  SharePoint  server,  as  well  as  related  activity  on  the  SharePoint 
server. 

6.  For  collection  as  evidence  by  SA  Wilbur,  these  logs  were  pulled  by  the  internet  server 
maintenance  team.  I  know  this  because  I  was  there  when  they  retrieved  the  information.  These 
logs  saved  in  a  standard  text  file,  or  “.txt”  format.  I  burned  these  logs  onto  a  hard  drive  and  also 
onto  a  DVD.  I  know  these  devices  were  clean  of  data  because  I  personally  wiped  all  information 
from  the  hard  drive  and  laptop,  and  created  the  image  for  the  hard  drive  on  which  the  logs  were 
burned.  Further,  I  performed  a  hash  value  match  to  verify  that  the  logs  provided  were  saved 
accurately  onto  the  disk.  The  DVD  was  red.  I  marked  it  with  the  title  “CIE  USR  DATA”. 

This  DVD  contained  the  files  “CENTCOM_CIE_SharePoint-HASH_MD5SHAl.pdf’, 
“CENTCOMHQ_CIE_SharePoint-HASH_MD5SHAl.txt”,  “webl.zip”,  and  “web2.zip”.  The 
first  two  files  contain  the  hash  value  information  validating  the  accuracy  of  the  log  information 
collected.  “Webl.zip”  contained  the  weblog  data  from  1  December  2009  until  30  July  2010, 
pertaining  to  the  USCENTCOM  server  assigned  IP  address  131.240.47.6.  “Web2.zip”  contained 
weblog  data  from  1  April  2010  until  30  July  2010,  pertaining  to  the  USCENTCOM  server 
assigned  to  IP  address  131.240.47.7.  Prosecution  Exhibit\€ftfor  Identification  are  these 
SharePoint  server  logs. 

7.  After  burning  the  log  information  to  the  DVD,  I  signed  the  evidence  to  SA  Wilbur  using  the 
provided  DA  Form  4137  Evidence  Property  Custody  Document.  The  disk  was  recorded  on  a  DA 
Form  4137  labeled  as  document  number  (DN)  122-10.  I  recognize  this  as  BATES  number: 

00411 1 1 1 .  I  know  this  because  I  signed  that  form  and  recognize  my  signature  on  it.  I  would 
recognize  the  evidence  itself  because  I  wrote  the  label  on  the  disk  and  burned  it.  I  did  not  alter 
the  information  or  the  devices  on  which  it  was  housed  in  any  way. 

8.  The  information  housed  on  the  SharePoint  server,  mentioned  previously,  was  accessed  via 
SIPRNET  and  located  in  the  JAG  folder  on  the  USCENTCOM  SharePoint  page.  We  collected 
this  information  for  two  reasons.  First,  collecting  this  information  shows  what  content  was 
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originally  available  on  the  USCENTCOM  server  to  SIPRNET  users.  Second,  this  information 
helps  put  the  log  data  we  collected  into  context. 

9.  I  assisted  SA  Wilbur  in  collecting  this  information  from  the  SharePoint  server.  To  retrieve  it, 
we  used  two  blank  CCIU  SATA  hard  drives.  I  know  these  are  clear  hard  drives  because,  in 
accordance  with  USCENTCOM  policy,  I  scanned  them  for  malware  and  viruses  before  they 
were  used  to  gather  the  evidence.  Having  found  none,  I  knew  they  were  suitable  for  evidence 
collection.  To  collect  this  information,  we  also  used  an  approved  CCIU  laptop.  I  hooked  this 
laptop  to  the  SIPRNET  using  a  CCIU-issued  USB  cable  and  drive  dock.  We  then  connected  the 
previously  scanned  hard  drive  to  the  laptop.  SA  Wilbur  used  that  connection  to  recover  the 
information  at  issue. 
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Ms.  Florinda  White 
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It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Ms. 
Florinda  White  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this  court- 
martial,  she  would  testify  substantially  as  follows: 

1 .  I  am  the  Configuration  Management  Lead  for  the  Distributed  Common  Ground  System  Army 
(DCGS-A)  program.  I  graduated  with  a  degree  in  computer  science  in  1991.  Thereafter,  I 
completed  additional  courses  in  computer  science.  I  have  experience  with  Linux  and  Windows. 
Additionally,  I  have  experience  as  a  programmer,  system  administrator,  network  administrator, 
and  system  engineering.  I  specialize  in  computer  management,  which  is  a  subspecialty  of 
systems  engineering.  From  2005-2010, 1  worked  as  a  contractor  on  the  DCGS-A  program  for 
which  I  currently  work.  As  a  contractor,  I  worked  as  an  analyst  and  in  configuration 
management. 

2.  Currently,  I  work  for  Communications-Electronics,  Research,  Development  and  Engineering 
Center  (CERDEC)  Software  Engineering  Directorate  (SED)  at  Aberdeen  Proving  Grounds, 
Maryland.  CERDEC  is  the  United  States  Army  information  and  technologies  and  integrated 
systems  center.  SED  provides  software  acquisition  and  software  engineering  support  to  Army 
tactical  systems,  to  include  creation  of  concept,  concept  development,  demonstration  of  concept, 
production  and  development,  and  operations  and  maintenance,  thereby  developing  and 
supporting  software  systems  throughout  their  lifecycle.  SED  also  provides  information 
assurance  and  determines  the  requirements  and  necessary  tools  to  complete  tasks.  Software 
products  developed  by  SED  supports  Army  war  fighting  efforts.  DCGS-A  is  a  component  of 


SED. 


3.  DCGS-A  is  the  Army’s  primary  system  to  post  data,  process  information,  and  disseminate 
intelligence,  surveillance,  and  reconnaissance  information  about  terrain,  threats,  weather,  and 
other  information  relevant  to  Servicemembers.  DCGS-A  is  the  approved  system  used  by 
intelligence  analysts  (35F  Military  Occupational  Specialty).  DCGS-A  provides  commanders  the 
ability  to  receive  intelligence  from  multiple  sources  and  intelligence  systems.  Moreover,  DCGS- 
A  ensures  each  piece  of  approved  hardware  and  software  is  secure,  stable,  and  compatible  with 
existing  systems. 

4.  As  the  Configuration  Management  Lead,  I  ensure  software  and  hardware  for  each  system 
meets  approved  specifications  and  follows  approved  builds.  The  approved  builds  are  also  known 
as  baselines.  Each  baseline  consists  of  approved  software  and  hardware.  The  software  is 
specifically  listed  by  program  and  version  number.  Hardware  is  specifically  approved  by  type 
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and  manufacturer.  A  specific  baseline  is  described  in  a  Version  Description  Document  (VDD). 
The  VDD  states  each  authorized  component  of  a  baseline.  Any  software  or  hardware  not  listed 
in  the  VDD  is  not  authorized  and  is  not  part  of  the  baseline. 

5.  The  baseline  is  developed  through  a  deliberate  process.  The  Program  Manager  (PM)  of  each 
system  approves  each  respective  baseline  that  falls  within  the  PM’s  system.  The  baseline  is 
tested  for  stability.  Stability  means  that  the  system  itself  is  stable  and  that  the  system  is  stable 
when  interacting  with  other  approved  systems.  Stability  is  important  because  the  computer 
system  completes  important  tasks  for  Servicemembers  and  the  system  must  work  at  all  times, 
especially  in  a  deployed  environment.  The  baseline  is  also  tested  for  security.  Security  means 
the  system  is  secure  by  itself  and  when  it  interacts  with  other  approved  systems.  Security  is 
important  because  some  of  the  computer  systems  contain  classified  information.  The 
information  is  used  by  Servicemembers  to  complete  their  missions,  and  the  systems  maintain 
security  so  only  authorized  users  can  access  the  information.  Ensuring  stability  and  security 
requires  extensive  testing.  Each  new  baseline  is  accredited,  and  any  changes  to  the  baseline 
must  be  certified  after  undergoing  the  vetting  process. 

6.  Any  change  to  the  baseline  requires  new  testing  of  the  new  baseline  because  a  single  change 
can  affect  a  system’s  security  or  its  stability.  The  process  to  make  changes  to  the  baseline  begins 
when  a  user  submits  a  request  identifying  requested  capabilities.  After  a  request  has  been 
submitted,  the  request  goes  before  the  Engineer  Review  Board  (ERB).  The  ERB  is  comprised  of 
subject  matter  experts,  engineers,  and  testers.  The  ERB  analyzes  and  assesses  the  requested 
changes  for  effectiveness  and  costs.  The  ERB  also  assesses  any  effect  the  requested  change 
could  have  on  the  network.  The  ERB  provides  a  recommendation  based  on  its  conclusions  and 
testing  to  the  Configuration  Control  Board  (CCB).  The  CCB  is  comprised  of  configuration 
subject  matter  experts,  engineers,  and  the  relevant  PM.  The  CCB  then  makes  a  final 
determination  based  on  the  effectiveness  and  cost.  Changes  to  the  baseline  can  be  approved  in  3 
days  up  and  to  1  year  depending  on  the  complexity  of  the  system  and  the  nature  of  the  requested 
change.  The  process  has  been  designed  to  maintain  system  security  and  stability. 

7.  After  a  baseline  has  been  approved,  a  computer  image  is  created.  This  computer  image  is 
installed  onto  approved  systems.  An  image  is  used  to  ensure  that  each  system  receives  exactly 
the  same  software.  Using  the  same  image  ensures  that  the  DCGS-A  program  only  tests  one 
image  instead  of  testing  each  system.  This  increases  the  likelihood  the  software  will  comport 
with  the  approved  baseline. 

8.  Prosecution  Exhibit  (PE)  9  is  the  VDD.  PE  9  describes  the  baseline  for  a  Basic  Analyst 
Laptop  (BAL).  I  am  familiar  with  the  VDD  in  PE  9  and  other  VDDs  because  I  work  with  them 
daily  in  my  position  as  the  Configuration  Management  Lead.  As  the  Configuration  Management 
Lead,  I  inspect  images  to  ensure  the  image  meets  the  standards  set  forth  in  the  baseline.  I  check 
each  program  individually  to  ensure  it  is  the  correct  program  and  specifically  the  correct  version 
of  the  program.  Any  software  not  approved  in  the  baseline,  as  reflected  in  the  VDD,  is  not 
authorized.  Specifically,  even  if  a  software  program  is  authorized,  the  program  cannot  be  added 
to  the  image  unless  it  is  an  approved  version  from  approved  source.  That  is,  the  approved 
version  of  the  program  must  be  obtained  from  an  authorized  source.  Programs  obtained  from 
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unauthorized  sources,  such  as  the  Internet,  could  obtain  viruses,  Trojan  horses,  or  other  malware 
that  would  jeopardize  both  system  security  and  stability. 

9.  Wget  is  a  computer  program  that  retrieves  content  from  web  servers,  and  is  part  of  the  GNU 
Project.  Wget  supports  downloading  via  HTTP,  HTTPS,  and  FTP  protocols,  which  are  common 
protocols  used  on  the  internet  for  webpages.  Wget  is  a  free  network  utility  commonly  used  to 
retrieve  files  from  the  internet.  It  has  been  designed  for  robustness  over  slow  or  unstable 
network  connections.  If  a  download  does  not  complete  due  to  a  network  problem,  Wget  will 
automatically  try  to  continue  the  download  from  where  it  left  off,  and  repeat  this  until  the  whole 
file  has  been  retrieved.  Wget  is  non-interactive  in  the  sense  that  once  started,  it  does  not  require 
user  interaction.  To  my  knowledge,  Wget  has  never  been  authorized  as  part  of  any  DCGS-A 
baseline,  nor  has  it  been  requested  for  approved  use.  As  such,  Wget  has  never  been  reviewed  by 
our  program  and  I  cannot  say  whether  it  would  be  approved  for  use  or  not.  The  VDDs  created 
for  V3.0P17,  V3.0P18,  V3.1P3  each  did  not  authorize  Wget  on  a  DCGS-A  computer  or  for  it  to 
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Prosecution  Exhibit  108 
1  CD 
classified 
"SECRET” 

ordered  sealed  for  Reason  2 
Military  Judge’s  Seal  Order 
dated  20  August  2013 
stored  in  the  classified 
supplement  to  the  original 
Record  of  Trial 
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Draft:The  Most  Wanted  Leaks  of  2009-sort 

From  Wikiieaks 

Somewhat  sorted  entries  of  the  most-wanted  list.  Work  in  progress,  TODO:  Add  brief,  entity  and  date  for  each  entry. 


Contents 

a  1  Austria 
a  2  Australia 
a  3  Bahrain 
a  4  China 
a  5  Colombia 
a  6  Finland 
a  7  France 
a  8  Germany 
a  9  Greece 
a  10  Guatemala 
a  1 1  Italy 
a  12  Kenya 
a  13  Libya 
a  1 4  Madagascar 
a  15  Mali 
a  16  Mexico 
a  17  Niger 
a  18  Norway 
a  19  Puerto  Rico 
a  20  Rwanda 
a  21  Russia 
a  22  Slovenia 
a  23  Sudan 
a  24  Syria 
a  25  Switzerland 
a  26  Swaziland 
a  27  Trinidad  and  Tobago 
a  28  Uganda 
a  29  United  Kingdom 
a  30  United  Nations 
a  3 1  United  States 
a  32  Vatican 

a  33  International  organizations 


Austria 

a  Austrian  e- Voting  system  used  in  students  elections. 

a  Date:  18  May  2009 

a  Brief:  We  seek  for  details  about  Austrian  voting  system  used  in  students  elections,  which  includes  but  is  not  limited  to 
source  code  and  certifications. 

a  Entity:  Scytl  (http://web.archive.org/web/20091 105061330/http://www.scytl.com/)  (programming) 

a  Entity:  Austrian  Federal  Computation  Center 

(http://web.archive.Org/web/20091105061330/http://www.brz.gv.at/Portal.Node/brz/public? 
gentics.am=PCP&p.contentid=  10007. 1 7664)  (hosting) 

a  Entity:  Ministry  of  Science  (http://web.archive.org/web/2009l  105061330/http://www.bmwf.gv.at/submenue/english/) 
(initiator) 

a  Entity:  Robert  Krimmer  (http://web.archive.org/web/20091 105061330/http://www.e-voting.cc/topics/Team/)  (consulting) 

a  E-Mail  traffic  between  Josef  Prfill  and  Christian  Konrad. 

a  Date:  ??? 

a  Brief:  E-Mail  traffic  between  minister  of  finance  Josef  Prdll  and  Christian  Konrad,  who  is  advocate  general  of  Raiffeisen 
bank 

a  Entity:  Josef  PrOl!  (josef.proell@bmf.gv.at) 

a  Entity:  Christian  Konrad 


ManningB_0041 0572 

http://web.archive.org/web/20091 105061330/http://wikileaks.org/wiki/Draft:The_Most...  12/6/201 1 


'  Draft:The  Most  Wanted  Leaks  >w  009-sort  -  Wikileaks 


Page  2  of  1 2 


■  E-Mail  traffic  of  Anton  Mahdalik  with  Michael  Hiiupl  and/or  Michael  Ludwig 

■  Date:  ??? 

■  Brief:  E-Mail  traffic  of  FPO  delegate  Anton  Mahdalik  with  Viennese  mayor  Michael  Hflupl  and/or  deputy  mayor  Michael 
Ludwig  containing  threats  when  renting  municipal  ground  to  the  Viennese  traitor  park  ("Wagenplatz  Wien"). 

■  Entity:  Anton  Mahdalik  (toni.mahdalik@fpoe.at) 

■  Entity:  Michael  Haupl  (michael.haeupl@wien.gv.at) 

Australia 

■  ACMA  URL  blacklist 

■  Date:  19  March  2009  and  later 

■  Brief:  Versions  of  the  ACMA  URL  blacklist  newer  than  19  March  2009.  WikiLeaks  previously  released  three  versions  of 
the  list,  two  of  which  included  WikiLeaks  or  its  subpages. 

■  Entity:  Australian  Communications  and  Media  Authority 
(http://web.archive.org/web/20091 10506 1 330/http://wwwacma.gov.au/WEB/HOMEPAGE/PC=HOME) 

■  Censorship  technology  in  Australia 

■  Date:  2009 

■  Entity:  Australian  Communications  and  Media  Authority 
(http://web.archive.org/web/2009l  105061330/http://www.acma.gov.au/WEB/HOMEPAGE/PC=HOME) 

■  Entity:  EnexTestlabs  (http://web.archive.org/web/20091  !05061330/http://www.testlab.com.au/) 

■  Entity:  Watchdog  NZ  (http://web.archive.org/web/20091 1 0506 1330/http://www.  watchdog.net. nz/) 

■  Entity:  [www.iwf.org.uk  Internet  Watch  Foundation] 

■  Entity:  Exetel  ISP  (http://web.archive.org/web/20091 1 0506 1 330/http://exetel . com.au/news_main.php) 

■  Brief:  Full  details  of  filtering  hardware/software  vendors  participating  in  government-sponsored  ISP-level  censorship 
technology  trials,  including  (but  not  limited  to): 

■  Any  and  all  communications  between  filter  vendors  and  government  departments  prior  to,  during,  and  after  the  trials 

■  Any  and  all  transactions,  contracts,  and  other  financial  arrangements  involving  filter  vendors 

■  Details: 

■  URL  blacklist(s)  used  during  above  trials.  Alleged  (by  government)  to  be  ACMA  URL  blacklist 

■  Full  statistical  breakdown  of  results  of  above  trials  (in  the  event  that  Enex  Testlabs  do  not  make  them  publicly 
available). 

■  URL  blacklist  as  used  by  Watchdog  NZ  during  private  censorship  technology  trial  by  ISP  Exetel  in  May  2009. 
Alleged  (by  Watchdog)  to  have  been  IWF  list  (see  United  Kingdom). 

■  Full  statistical  breakdown  of  results  of  Walchdog/Exetel's  censorship  technology  trial  -  Exetel's  official  response 
(http://web.archive.org/web/20091 105061330/http://forum.exetel.com.au/viewtopic.php?f=4&t=3l857*p244129) 
seems  lacking. 

■  Annual  NSW  Police  test 

■  Brief:  Written  exam  NSW  police  officers  must  take  annually  before  they  can  be  issued  with  Tasers. 

■  Entity:  NSW  Police  (http://web.archive.org/web/2009l  I05061330/http://www.police.nsw.gov.au/) 

Bahrain 

■  Documents  regarding  changes  to  country's  demography. 

■  Brief:  Documents  disclosing  the  number  of  citizenships  that  have  been  granted  in  the  last  few  years,  in  an  effort  to  change 
the  country's  demography.  See  Political  naturalisation^] 

(http://web.archive.org/web/20091 10506 1330/http://www.ihrc.org.uk/show.php?id=2860) . 

China 

■  Golden  Shield  Project 

■  Brief:  A  list  of  URLs  and  keywords  censored  filtered  by  the  Golden  Shield  Project  (Great  Firewall  of  China).  WikiLeaks 
has  previously  released  related  information,  for  example,  watch  lists,  policies  and  several  thousand  URLs  for  CCTV  and 
Baidu,  but  not  for  general  http  filtering. 

■  Entity:  Ministry  of  public  security  (http://web.archive.org/web/20091 1 0506I330/http://www.mps. gov.cn/) 

■  Genocide  Olympics  campaign 

■  Date:  28th  March  2007 

■  Brief:  Policy  options  on  Darfur  formulated  in  response  to  the  so-called  Genocide  Olympics  campaign  led  by  American 
actress,  Mia  Farrow,  and  notes  of  meetings  in  2007  between  Stephen  Spielberg  and  Chinese  Foreign  Ministry  officials  prior 
to  Spielberg's  resignation  as  Artistic  Director  of  the  2008  Beijing  Olympics. 

Colombia 
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■  Surveillance  of  citizens  and  organisations 

■  Brief:  The  DAS  (Departamento  Administrative  de  Seguridad)  is  reported  to  have  surveilled  a  wide  array  of  public  officials, 
private  citizens,  and  organizations.  Documents  wanted:  contracts  to  supply  software  for  internet  surveillance  to  Colombian 
policy  agencies  and  details  of  the  software  supplied. 

■  Entity:  DAS  (http://web.archive.org/web/20091 I05061330/http://www.das.gov.co/) 


Finland 

■  Tiitisen  Lista 

■  Brief:  The  so  called  Tiitisen  Lista,  the  list  of  1 8  persons  claimed  to  have  been  in  active  contact  with  East  German  security 
services  (Stasi).  The  list  was  received  from  the  West  German  intelligence  services  (BND)  in  1990  and  since  classified  by 
the  order  of  President  Koivisto  as  adviced  by  the  head  of  the  Finnish  Security  Police  (Suojelupoliisi),  Seppo  Tiitinen.  It  is 
rumoured  that  several  current  or  former  top  Finnish  politicians  appear  on  the  list. 

■  Entity:  Stasi  (http://web.archive.org/web/20091 1 05061 330/http://en. wikipedia.org/wiki/Stasi) 

■  Entity:  Koivisto 

(http://web.archive.org/web/20091 1 05061 330/http://www.  valtioneuvosto.fi/hakemisto/ministerikortisto/ministeritiedot.  asp? 
nro=167) 

■  Entity:  Suojelupoliisi  (http://web.archive.org/web/20091 I05061330/http://www.poliisi.fi/supo/) 

France 

■  Nicholas  Sarkozy'  health  report 

■  Brief:  The  Monthly  Health  Report  of  President  Nicolas  Sarkozy,  as  promised  by  himself  during  the  last  presidential 
elections. 

Germany 

■  Censorship  in  Germany 

■  Details: 

■  The  censorship  filter  list  for  the  proposed  national,  mandatory  censorship  system.  The  list  will  be  compiled  by 
German  federal  criminal  police  BKA  and  distributed  to  internet  service  providers. 

■  The  contents  of  the  contract  between  the  BKA  and  some  ISPs  that  has  already  been  signed,  but  is  kept  secret  due  to 
"public  safety"  and  copyright  concerns  (see  http://blog.fefe. de/?ts=b4fa8af8). 

■  The  List  of  Media  Harmful  to  Young  People  (the  censorship  system  already  in  place).  The  "virtual  media"  part  of  this 
list  is  distributed  to  search  engine  providers  and  is  illegal  to  publish.  It  probably  could  be  reverse  engineered  using 
the  differences  between  google.com  and  google.de  search  results.  Also,  if  you  want  to  know  if  a  specific  medium  is 
on  the  list,  you  can  send  an  enquiry  to  liste@bundespruefstelle.de  (mailto:liste@bundespruefstelle.de) 
("Bundesprilfstelle”  is  the  agency  responsible  for  keeping  the  list). 

■  Entity:  Bundesprilfstelle  (http://web.archive.org/web/20091 105061330/http://www.bundespruefstelle.de/) 

■  Entity:  BKA  (http://web.archive.org/web/20091 105061330/http://www.bka.de/) 

■  Politician's  Stasi  files 

■  The  Stasi  (http://web.archive.org/web/2009l  1 0506 1 3 30/http://en.  wikipedia.org/wiki/Stasi)  files  of  Federal  Chancellor  Angela 
Dorothea  Merkel  (maiden  name  Kasner)  and  other  leading  politicians,  which  are  known  to  exist,  but  withheld  from  public 

■  Operation  Gladio 

■  Brief:  The  Stasi  files  relating  to  operation  Gladio  /  stay  behind  organisations  in  relation  to  right-wing  terrorism  in  Germany 
(http://web.archive.org/web/20091  l05061330/http://www.heise.de/tp/r4/artikel/30/30390/l.html) ,  as  per  a  parliamentary 
request  by  the  Green  party. 

■  Atlas  Der  \Vut 

■  Brief:  The  so  called  "Atlas  der  Wut",  a  document  about  the  risk  of  riots  in  different  german  regions  The  list  is  said  to  be 
updated  regulary  and  was  first  written  in  2005. 

■  The  list  of  NPD  party  members 

Greece 

The  Athens  Affair 

■  Brief:  Documents  related  to  the  Athens  phone  tapping  affair  that  have  yet  to  be  released  (including  those  from  countries  other 
than  Greece)  Context  (http://web.archive.org/web/20091 105061330/http://www.spectrum.ieee  org/telecom/security/the-alhens- 
affair/0) 

Guatemala 
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■  Plan  Victoria  82,  Plan  Sofia  and  Plan  Fcrmeza  83 

■  Brief:  All  documents  on  Plan  Victoria  82,  Plan  Sofia  and  Plan  Firmeza  83. 

■  Detail: 

Within  the  process  of  trying  to  bring  military  personal  involved  in  human  rights  violations  and  massacres  that  happen 
during  the  civil  war  in  Guatemala  to  justice,  the  military  have  been  required  to  declassify  many  war  documents.  In  a  case, 
that  went  all  the  way  to  the  Supreme  Court  of  Guatemala,  the  Court  dictated  a  sentence  that  confirmed  the  obligation  of  the 
Ministry  of  Defense  of  Guatemala  to  hand  over  the  official  documentation  of  four  specific  military  operations:  Campana 
Sofia  82,  Victoria  82,  Firmeza  83  and  Operacion  Ixil.  The  Supreme  Court  sentence  indicated  that  the  archives  had  to  be 
declassified. 

These  military  operations  were  carried  out  in  the  80s.  According  to  the  CEH,  Historical  Clarification  Commission  of 
Guatemala  final  report  contained  in  "Guatemala:  Memory  of  Silence",  these  military  operations  resulted  in  massacres  and 
severe  human  rights  violations. 

The  Minister  of  Defense  Abraham  Valenzuela  only  delivered  partial  information  about  plans  Victoria  82  and  Firmeza  83, 
two  of  the  four  requested  plans.  He  indicated  that  he  had  no  knowledge  of  the  other  two  plans  before  he  became  Minister  of 
Defense  and  that  he  ignores  where  the  documentation  could  be.  He  stated  that  he  could  not  deliver  the  complete  plans 
"Victoria  82"  y  "Firmeza  83"  because  certain  information  was  considered  state  secret  and  a  concern  of  national  security. 

"Plan  Sofia",  a  derivative  of  "Plan  Victoria  82",  was  of  special  concern  to  human  rights  activists;  this  plan  was  conceived  in 
July  1982,  four  months  after  General  Efrain  Rios  Montt  came  into  power 

■  The  CEH  archives 

■  Brief:  Final  report  of  United  Nations'  Historical  Clarification  Commission  (CEH)  into  the  killing  of  200,000  Mayan  people 
and  the  involvement  of  the  US  government  and  American  corporations.  The  report  official  sources  (military  interviews, 
campaign  plans,  etc)  are  kept  secret  by  the  UN  in  NYC. 

■  Detail: 

The  United  Nations'  Historical  Clarification  Commission  (CEH)  for  Guatemala  issued  a  report  where  the  US  government 
and  several  American  corporations  were  accused  of  complicity  in  the  genocide  of  nearly  200,000  Mayan  people  during 
Guatemala?s  bloody  36-year  civil  war.  The  final  3,600-page  CEH  report  clearly  places  the  blame  for  most  of  the  200,000 
deaths  on  the  "racist"  policy  of  the  Guatemalan  government  and  holds  the  country?s  military  and  paramilitary  forces 
responsible  for  the  actual  killings,  tortures  and  disappearances. 

However,  it  accuses  the  US  of  directly  and  indirectly  supporting  a  "fratricidal  confrontation"  by  providing  sustained 
training,  arms  and  financial  aidThe  report  is  based  on  the  testimony  of  9,200  people  from  all  sides  of  the  conflict  and  other 
documents*,  classified  and  Secret,  protected  in  the  UN  headquarters  in  NYC.  The  CEH  investigated  42,000  human  rights 
violations,  29,000  of  which  resulted  in  deaths  or  disappearances  and  therefore,  the  documents  under  UN  custody  are 
fundamental  for  the  prosecution  of  those  responsible  of  the  crimes. 

■  Goldcorp  affair 

■  Brief:  *  Documents  on  Canadian  corporation  named  Goldcorp  with  a  mining  operation  in  Guatemala,  especially 
information  on  where  the  Gold  they  extract  is  processed  and  who  is  buying  the  gold  (we  think  it  might  be  a  Swiss 
company). 

■  Detail:  A  Canadian  corporation  named  Goldcorp  has  a  mining  operation  in  Guatemala  with  poor  environmental  conditions 
and  harming  health  of  many  workers  and  a  community  as  a  whole.  Where  the  Gold  they  extract  is  processed?  Who  is 
buying  the  gold  (we  think  it  might  be  a  Swiss  company)? 


Italy 

■  Italian  censorship  list 

■  Brief:  The  full  Italian  censorship,  of  which  Wikileaks  currently  only  has  a  subset. 


Kenya 

■  Reports  on  high  level  corruption  in  Kibaki  government 

■  Brief:  The  international  investigative  firm  Kroll  associates  produced  at  least  four  reports  on  high  level  Kenyan  corruption 
after  first  term  of  the  Kibaki  government.  A  draft  version  of  one  of  the  reports  The  looting  of  Kenya,  was  previously 
published  by  WikiLeaks.  The  reports  were  given  to  selected  members  of  President  Kibaki's  cabinet  at  the  time  and  are 
likely  still  held  by  http://www.kroH  com.uk/,  notably  lead  investigator  Andrew  Marshall. 

■  Entity:  President  Kibaki 

■  Entity:  Kroll  (http://web.archive.org/web/2009l  10506I330/http://www. kroll. com.uk/) 

Libya 

■  Arrangements  with  the  Sudanese  government 
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■  Brief:  Documents  indicating  arrangements  with  the  Sudanese  government  to  grant  land  in  Darfur  to  Arab  settlers  from 
Libya  (Civilians  and  adminisrators  on  the  gruond  in  Darfur  indicate  this  has  been  taking  place). 

Madagascar 

Both  sides  of  the  political  conflict  in  Madagascar  are  crying  fouls  about  the  deals  made  by  their  counterparts  with  foreign  entities.  The 
release  of  the  official  documents  with  respect  to  contract  negotiations  about: 

■  Oil  exploitation  in  the  region  of  Bemolanga  (  South  of  Madagascar)  by  Total  &  others 

■  Detail:  Oil  and  Gas  in  Madagascar  -  Industry  Overview 

(http://web.archive.org/web/20091 105061 330/http://www.mbendi.com/indy/oilg/af/md/p0005.htm) ,  Infos  on  Total 
licensing  (http://web.archive.org/web/20091 105061330/http://www.scandoil.com/moxie-bm2/news/total-farms-into-the- 
bemolanga-heavy-oil-license-i.shtml) 

■  an  obvious  one  but  the  proposed  final  contract  before  rejection  of  the  land  deal  with  Daewoo  Logistics. 

■  The  recent  agreement  with  Saudi  investment  group  on  staple  products  and  proposed  $2  billion  USD  investment. 

■  The  revised  mining  exploitation  agreement  with  Sheritt  in  Ambatovy  and  Rio  Tinto  in  Fort-Dauphin. 

■  Least  but  not  last,  the  complete  list  of  current  political  prisoners  and  the  charges  against  them. 

Mali 

■  Arrangements  with  the  Sudanese  government 

■  Brief:  Documents  indicating  arrangements  with  the  Sudanese  government  to  grant  land  in  Darfur  to  Arab  settlers  from  Mali 
(Civilians  and  adminisrators  on  the  gruond  in  Darfur  indicate  this  has  been  taking  place). 


Mexico 

■  Agreements  between  USA  and  Peter  Herlihy 

■  Brief:  Zapotec  indigenous  people  demand  transparency  from  U  S.  Scholar  and  full  disclosure  of  all  the  agreements  between 
U  S.  Government  and  their  agencies  and  U  S.  geography  scholar  Peter  Herlihy,  especially  confidential  agreements  with 
Foreign  Military  Studies  Office.  Prof.  Herlihy  failed  to  mention  that  he  received  funding  from  the  Foreign  Military  Studies 
Office  of  the  U.S.  Armed  Forces  on  the  research  of  "Mexico  Indigena"  project.  Mexico  Indigena  Project  forms  part  of  the 
Bowman  Expeditions,  a  more  extensive  geographic  research  project  backed  and  financed  by  the  FMSO,  among  other 
institutions.  The  FMSO  inputs  information  into  a  global  database  that  forms  an  integral  part  of  the  Human  Terrain  System 
(HTS),  a  United  States  Army  counterinsurgency  strategy  designed  by  Foreign  Military  Studies  Office  and  applied  within 
indigenous  communities,  among  others 

■  Entity:  FMSO  (http://web.archive.org/web/2009l  I0506l330/http://fmso.leavenworth.army.mil/) 

■  Entity:  Peter  Herlihy 

(http://web.archive.org/web/2009l  1 05061 330/http://www2.ku.edu/~geography/peoplepages/Herlihy_P.shtml) 

■  Ruta  Maya  2002  Isuzu  Challenge 

■  Brief:  Documents  to  unveil  the  real  purpose  of  "Ruta  Maya  2002  Isuzu  Challenge".  The  convoy  was  commanded  by  Ben 
Nun  Avihu,  Israeli  militar  and  Moshe  Savir,  geography  expert  and  around  50  tourists  in  40  Isuzu  Jeep.  Some  communities 
linked  the  incursion  with  biopiracy.  The  terrain  they  explored  is  controled  by  the  EZLN. 

■  Entity:  Ben  Nun  Avihu 

■  Entity:  Moshe  Savir 

■  Entity:  EZLN  (http://web.archive.org/web/20091 105061330/http://www.ezln.org.mx/) 

■  Corruption  around  FOBAPROA 

■  Brief:  Documents  related  with  the  fraud  and  corruption  around  FOBAPROA  (Fondo  Bancario  de  Protection  at  Ahorro). 

■  Entity:  FOBAPROA  1 

(http://web.archive.org/web/20091 105061330/http://www.cddhcu.gob.mx/cronica57/contenido/cont2/fobaprol.htm)  2 
(http://web.archive.org/web/20091 1 05061 330/http://en.  wikipedia.org/wiki/Fobaproa) 

■  Financial  operations  before  crisis 

■  Documents  of  financial  operations  just  before  the  financial  crisis  of  1 994 
(http://web.archive.org/web/2009l  1 0506 1 330/http://en. wikipedia.org/wiki/1994_economic_crisis_in_Mexico)  (some  say 
the  government  knew  before  that  the  crisis  was  coming  and  took  advantage  of  the  information  protecting  their  interests). 

■  World  Bank  credit 

■  Brief:  Documents  related  with  the  World  Bank  credit  and  application  of  the  budget  to  combat  swine  flu. 

■  Entity:  World  Bank  (http://web.archive.org/web/20091 105061330/http://www.worldbank.org/mx) 

■  Renault  program 

■  Brief:  Documents  related  with  the  technology  currently  used  in  cellphones  in  Mexico  to  implement  the  RENAUT  program 
(http://web.archive.org/web/20091 10506l330/http://www.renaut.gob.mx/RENAUT/)  Information  about  the  security 
technology  used  to  protect  data  collected  from  users. 
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■  Brief:  Documents  related  to  the  transparency  of  Plan  Merida 

(http://web.archive.Org/web/20091105061330/http://en.wikipedia.org/wiki/M%C3%A9ridaJnitiative) 


Niger 

■  Arrangements  with  the  Sudanese  government 

■  Brief:  Documents  indicating  arrangements  with  the  Sudanese  government  to  grant  land  in  Darfur  to  Arab  settlers  from 
Niger  (Civilians  and  adminisratots  on  the  gruond  in  Darfur  indicate  this  has  been  taking  place). 


Norway 

■  Court  case  between  Lyse  Tele  and  Simonsen 

■  Brief:  The  secret  verdict  in  the  court  case  between  the  ISP  Lyse  Tele  and  the  law  firm  Simonsen,  decided  the  5th  of  May 
2009,  where  Simonsen  demanded  Lyse  Tele  disclose  the  identity  information  of  a  file  sharer  suspected  of  uploading  a  copy 
of  the  movie  Max  Manus  to  the  file-sharing  community. 

■  Entity:  Lyse  Tele  (http://web.archive.Org/web/2009  H05061330/http://www.lyse.no/) 

■  Entity:  Simonsen  (http://web.archive.org/web/20091 10506I330/http://www.simon$enlaw.no/) 

Puerto  Rico 

■  FBI  surveillance  of  Puerto  Rico  citizens 

■  Brief:  The  FBI  has  not  yet  finished  declassifying  all  the  secret  files  related  to  surveillance  of  Puerto  Rican  individuals  and 
organizations  from  the  1930-70's  http://www.pr-secretfiles.net/index.html  (not  to  mention,  large  sections  of  the  files  are 
blacked  out  by  the  FBI).  In  addition,  there  are  thousands  of  secret  files  produced  by  Puerto  Rican  police  that  were  only 
briefly  made  available  to  individuals  themselves,  and  have  now  been  closed  off  to  the  public.  These  documents  provide 
evidence  of  quite  a  significant  spying  and  intimidation  operation  by  the  United  States  and  local  police  against  leftists  and 
independence  movement  leaders. 

■  Entity:  FBI  (http://web.archive.org/web/20091 10506I330/http://www.fbi.gov/) 

Rwanda 

■  Financial  aid  for  Laurant  Nkunda 

■  Brief:  Documentation  of  financial  assistance  given  by  the  Rwandan  government  to  General  Laurant  Nkunda  for  operations 
in  the  DRC. 

■  Entity:  Laurent  Nkunda  (http://web.archive.org/web/20091 1 0506 1 330/http://en. wikipedia.org/wiki/Laurent_Nkunda) 

Russia 

■  VRYAN  crisis  documentation 

■  Brief:  Documents  related  to  the  VRYAN  crisis,  especially  political  documents,  analyses  of  intelligence,  and  specific  steps 
taken.  Information  on  the  mindset  of  the  Politburo,  as  well  as  intelligence  services,  and  what  exactly  they  feared,  and  how 
credible  they  believed  their  fear  to  be. 

■  Maps  for  Kremlin  and  military  hideouts 

■  Brief:  Maps,  floor  plans,  and  blueprints  of  Mount  Yamantaw  and  Kosvinsky  Mountain. 

■  Technology  analysis 

■  Brief:  Technical  plans,  manuals,  and  blueprints  for  the  SS-27  Sickle  B  (Topol-M),  along  with  the  Bulava. 

■  Brief:  Documents  relating  to  nuclear  warplans  of  the  Soviet  Union  and  Russia. 

■  Brief:  Documents  relating  to  orbital  weapons  systems,  and  whether  the  Soviets  ever  deployed  them  (or  still  deploy  them) 
such  as  orbital  HANE  devices. 

■  Brief:  A  list  and  description  of  the  various  agents  prepared  by  the  various  Soviet  and  Russian  bioweapons  programs. 
Indications  of  whether  they  developed  recombinant  DNA  based  agents,  and  what  those  are  specifically.  Weaponization  of 
agents,  including  re-entry  vehicle  mounting.  Doctrine  for  use,  including  deniable  use.  Vaccines  and  treatments  for  affected 
personnel. 

Slovenia 

■  Taped  conversations  between  Slovenian  opposition  leader  and  Croatian  PM 

■  Brief:  Taped  conversations  between  Slovenian  opposition  leader  Janez  Jansa  and  Croatian  prime  minister  Ivo  Sanader, 
recorded  by  Slovenian  intelligence  service  SOVA. 

■  Date:  Summer  2004 

■  Entity:  Janez  Jansa 

■  Entity:  Ivo  Sanader 
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■  Entity:  SOVA 

Sudan 

■  Salah  Gosh  and  the  CIA 

■  Date:  2005 

■  Documents  detailing  discussions  during  2005  meeting  between  Salah  Gosh  and  the  CIA  (for  which  the  CIA  flew  Gosh  on 
private  jet  from  Khartoum  to  CIA  HQ).  See:  http://www.sudantribune.com/article.php3?id_article=  10205 

■  Mali  case 

■  Brief:  Documents  indicating  arrangements  with  the  Sudanese  government  to  gram  land  in  Darfur  to  Arab  settlers  from  Mali 
(Civilians  and  adminisrators  on  the  gruond  in  Darfur  indicate  this  has  been  taking  place). 

■  Libya  case 

■  Brief:  Documents  indicating  arrangements  with  the  Sudanese  government  to  grant  land  in  Darfur  to  Arab  settlers  from 
Libya  (Civilians  and  adminisrators  on  the  gruond  in  Darfur  indicate  this  has  been  taking  place). 

■  Niger  case 

■  Brief:  Documents  indicating  arrangements  with  the  Sudanese  government  to  grant  land  in  Darfur  to  Arab  settlers  from 
Niger  (Civilians  and  adminisrators  on  the  gruond  in  Darfur  indicate  this  has  been  taking  place). 


Syria 

■  Assasination  of  Mehdi  Ben  Barka 

■  Brief:  All  the  documents  related  to  the  assasination,  in  1965,  of  Mehdi  Ben  Barka  still  held  in  France,  USA,  Israel  and 
Morocco.  In  1976,  thanks  to  the  Freedom  of  information  Act,  the  US  govemement  recognized  that  the  CIA  had  about  1800 
classified  documents  about  his  assassination.  Theses  documents  are  still  classified. 

Switzerland 

■  Cornu  Report 

■  Brief:  The  full  Comu  Report.  See  http://en.wikipedia.orgAviki/Projekt-26*The_Comu_Report 

Swaziland 

■  Expense  accounts  of  King  Mswati,  the  Queen  Mother  and  the  King's  wives. 

■  Memos  from  Ministry  of  Defense  or  Police 

■  Brief:  Intelligence  memos  from  the  Ministry  of  Defence  or  Police  about  the  pro-democracy  organization,  PUDF.MO. 

■  Entity:  Pudemo  (http://web.archive.org/web/20091 105061330/http://www.pudemo  org/) 

■  Entity:  Ministry  of  Defense  (http://web.archive.org/web/20091 105061330/http://www.gov.sz/home.asp?pid=59) 

Trinidad  and  Tobago 

■  Commission  of  Enquiry  reports 

■  Brief:  The  Report  on  the  Commission  of  Enquiry  into  the  construction  of  the  new  Piarco  Airport.  This  identified  corrupt 
practices  in  the  spending  of  public  funds.  The  Commission's  report  was  delivered  in  August  2003.  Nearly  6  years  later,  its 
findings  have  not  been  made  public. 

■  Brief:  Report  of  the  findings  of  the  current  Commission  of  Enquiry  into  the  local  construction  sector 

m  Entity:  Commission  Enquiry  (http://web.archive.org/web/20091 105061330/http://www.constructionenquiry.gov.tt/) 

■  Entity:  Piarco  airport  (http://web.archive.Org/web/20091105061330/http://www.piarcoairport.com/) 

■  Caroni  Bridge  collapse 

■  Brief:  The  Report  on  the  Caroni  Bridge  Collapse.  A  man  was  killed  when  a  bridge  collapsed  a  few  years  ago;  again  the 
public  has  not  been  made  aware  of  the  report's  findings. 

■  Date:  2nd  August  2008 

■  Waterfront  Development  Project 

■  Brief:  A  copy  of  the  contract  for  the  billion-dollar  Waterfront  Development  Project 

■  Entity:  ?udecott?  (http://web.archive.org/web/20091 10506l330/http://www.udecott  com/) 

■  Scholarships  sponsored  by  Ministry  of  Culture 

■  Brief:  List  of  recipients  and  amounts  of  scholarships  sponsored  by  Ministry  of  Culture  for  study  abroad. 

■  Entity:  Ministry  of  Culture  (http://web.archive.org/web/2009l  10506l330/http://www.gov.tt/) 

■  Detail: 
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As  far  as  Trinidad  and  Tobago  goes,  our  government  tends  to  pay  lip  service  to  the  principles  of  transparency  and 
accountability.  For  instance,  there  is  a  Freedom  of  Information  Act  which,  by  law,  allows  the  public  to  seek  information 
from  government  departments.  But  quite  often,  when  such  attempts  are  made  by  the  citizenry,  the  government  bars  full 
disclosure.  Depending  on  how  important  a  piece  of  information  is  to  Joe  Public,  he  may  actually  have  to  turn  to  the  courts 
to  "force"  the  government  to  reveal  facts  that  should  be  disclosed  voluntarily.  Following  are  a  few  examples  of  documents 
that  should  be  made  public,  but  have  not  been: 

■  The  Report  on  the  Commission  of  Enquiry  into  the  construction  of  the  new  Piarco  Airport  This  identified  corrupt  practices  in  the 
spending  of  public  funds.  The  Commission's  report  was  delivered  in  August  2003.  Nearly  6  years  later,  its  findings  have  not  been 
made  public. 

■  The  Report  on  the  Caroni  Bridge  Collapse.  A  man  was  killed  when  a  bridge  collapsed  a  few  years  ago;  again  the  public  has  not 
been  made  aware  of  the  report's  findings. 

■  The  Opposition  recently  brought  up  in  Parliament  the  issue  of  taxpayers'  money  being  used  to  pay  attorneys  by  state.  Although 
the  public  has  a  right  to  know  how  much  of  its  funds  were  used  in  paying  said  attorneys,  the  Attorney  General  refused  to  disclose 
the  sums,  saying  it  would  be  an  invasion  of  the  lawyers'  privacy 

■  The  same  goes  for  a  recent  request  in  Parliament,  whereby  *the  Minister  of  Planning  and  Development  was  asked  to  produce  a 
copy  of  the  contract  for  the  billion-dollar  Waterfront  Development  Project*.  The  Minister's  response  was  that  she  could  not 
produce  said  contract  for  public  discussion  because  there  was  a  confidentiality  clause  contained  therein  (for  a  project  being  built 
with  public  funds). 

■  The  Ministry  of  Culture  recently  awarded  scholarships  for  students  to  study  abroad  -  when  asked  in  Parliament  to  disclose  the  list 
of  recipients  and  the  dollar  value  of  the  scholarships,  the  response  was  that  this  was  private  information 

Uganda 

■  Ugandan  profit-sharing  agreements  with  oil  companies  in  south-western  Uganda 

■  Brief:  The  government  of  Uganda  has  recently  signed  a  number  of  profit-sharing  agreements  with  several  oil  companies 
that  are  conducting  explorations  in  southwestern  Uganda.  Releasing  these  documents  would  be  a  major  step  in  increased 
transparency  with  respect  to  the  country's  emerging  oil  industry. 

United  Kingdom 

■  Censorship  in  UK 

■  Brief:  List  of  current  and  expired  D-Notices 

■  Entity:  dnotice  (http://web.archive.org/web/20091 105061330/http://www.dnotice.org.uk/the_system.htm) 

■  Brief:  secret  gag  orders,  injunctions  and  legal  threats  sent  to  UK  newspapers 

■  Entity:  legal  contact  addresses  at  the  Guardian,  Daily  Mail,  Times,  Independent,  Evening  Standard,  etc. 

■  Brief:  Censorship  list  for  the  United  Kingdom's  "voluntary"  filter  system.  Known  to  be  held  by  The  Internet  Watch 
Foundation  (http://web.archive.org/web/20091 10506l330/http://www.iwf.org.uk/)  .  Companies  and  their  subsidiaries 
which  are  currently  being  supplied  with  the  IWF  list.  Most  ISP's  in  the  UK  have  a  copy  of  the  IP's  on  the  list. 

■  Entity:  The  Internet  Watch  Foundation  (http://web.archive.org/web/2009l  105061330/hltp://www.iwf  org.uk/) 

■  Iraq  war  planning 

■  Brief:  The  secret  cabinet  minutes 

(http://web.archive  org/web/20091 105061330/http://news.bbc.co.uk/2/hi/uk_news/politics/7752009.stm)  and  legal  advice 
(http://web.archive.org/web/20091 105061330/http://news.bbc.co.uk/2/hi/uk_news/politics/4381379.stm)  pertaining  to  the 
allegedly  illegal  war  and  ongoing  occupation  of  Iraq. 

■  Roger  Hollis  surveillance 

■  Brief:  UK  Government  documentation  into  the  investigation  of  Roger  Hollis,  head  of  MI5  between  1956  and  1965, 
including  the  report  by  Lord  Trend,  into  the  serious  but  apparently  unproven  allegations  of  being  a  Russian  Spy. 

■  Entity:  MIS  (http://web.archive.Org/web/20091105061330/http://www.mi5.gov.uk/) 

■  Wythenshawe  intelligence  centre 

■  Brief:  Documents  detailing  the  information  stored  and  collected  by  the  Wythenshawe  intelligence  centre.  [2] 
(http://web.archive.org/web/20091 1 0506 1 330/http://www.timesonline. co.uk/tol/travel/news/article5683677.ece) 

■  Police  surveillance  on  climate  change  protestors 

■  Brief:  A  copy  of  the  police  intelligence  handed  to  EON  about  climate  change  protestors.  [3] 
(http://web.archive.org/web/20091 1 05061 330/http://www.  guardian,  co.uk/uk/2009/apr/20/police-intelligence-e-on-ben) 

■  Entity:  E.ON  (http://web.archive.org/web/20091 105061330/htlp://www.eon-uk.com/) 

■  MP  expenses 

■  Brief:  The  full  MP  expenses  data;  how  much  the  Telegraph  paid  for  them. 

■  Entity:  Daily  Telegraph  (http://web.archive.org/web/20091 105061330/http://www.telegraph. co.uk/) 

■  Entity:  UK  Parliament  (http://web.archive.org/web/20091 105061330/http://www.parliament.uk/) 

■  Allan  Cappelow  murder 
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■  Brief:  Documents  revealing  why  the  trial  of  Wang  Yam,  who  was  convicted  of  killing  Allan  Chappelow,  was  held  in 
camera,  the  first  UK  murder  trial  ever  heard  behind  closed  doors  without  access  by  press  or  public[4] 
(http://web.archive.org/web/2009 1 1 0506 1 330/http://en.  wikipedia.org/wiki/Allan_Chappelow) 

■  Nationalisation  of  Northern  Rock  and  Bradford  &  Bringley 

■  Brief  The  proper  reasons  for  nationalisation  of  Northern  Rock  and  Bradford  &  Bingley,  and  the  subsequent  sale  of  the 
latter's  savings  buisiness  to  Santander. 

■  Brief:  Records  of  events  during  the  twelve  months  leading  up  to  the  nationalisation  of  Bradford  &  Bingley. 

■  Brief:  Information  regarding  the  valuation  process  to  determine  compensation  for  fromer  shareholders  of  Northern  Rock 
and  Bradford  &  Bingley,  that  is,  the  information  the  independent  valuer  uses  to  determine  the  final  value  of  the  comapanies. 

■  Entity:  B&B  (http://web.archive.org/web/2009l  105061330/http://www.bbg.co.uk/) 

■  Entity:  Northern  Rock  (http://web.archive.org/web/20091 105061330/http://www.northernrock.co.uk/) 

■  HBOS  takeover 

■  Brief:  Copies  of  government  minutes  of  meetings  between  Gordon  Brown  and/or  Alistair  Darling  and  representatives  of 
Lloyds  Bank  relating  to  the  proposed  takeover  of  HBOS. 

■  Investigation  into  Daveport  Lyons 

a  Brief:  Documents  from  Solicitors  Regulation  Authority’s  investigation  into  Davenport  Lyons  threatening  letters  related  to 
ftiesharing. 

United  Nations 

a  Security  Council  and  Darfur 

a  Brief:  Requests  to  the  Security  Council  in  2003  that  the  Security  Council  look  at  what  was  happening  in  Darfur,  and  any 
notes  of  discussions  leading  to  the  decision  not  to  look  at  the  situation, 
a  Date:  2003 

a  Entity:  UN  Security  Council 

United  States 

Important  bulk  databases 
b  Inteliipedia 

a  Brief:  Classified  intelligence  community  site  as  of  1 1/1/2008,  including  article  history. 
b  opensource.gov 

b  Brief:  The  complete  CIA  Open  Source  Center  analytical  database.  The  database  is  extensive,  unclassified,  non-public,  but 
relatively  accessible  to  certain  outsiders  after  jumping  through  hoops.  Despite  its  name,  you  need  to  be  government  official 
to  gain  access  to  it. 

a  Entity:  opensource.gov  (http://web.archive.org/web/20091 105061330/http://www.opensource.gov/) 

a  Pacer  database 

a  Brief:  The  complete  PACER  database.  The  PACER  database  contains  extensive  US  federal  court  records.  They  are  public 
documents,  currently  behind  a  paywall.  See  http://arstechnica.com/tech-policy/news/2009/04/case-against-pacer.ars 
a  Entity:  PACER  (http://web.archive.org/web/20091 I05061330/http://pacer.psc.uscourts.gov/) 

Federal  politics 

a  The  missing  five  million  White  House  emails-possibly  no  longer  in  existence, 
a  Chenney  and  Rumsfeld  Archives 
a  The  White  House  visitor's  list 
a  Minutes  or  notes  for  VP  Cheney's  Energy  Conference. 

b  The  1 141  pages  of  ACTA  background  documents  not  released  to  the  EFF  by  the  US  Trade  Representative  (see  [5] 

(http://web.arehive.org/web/2009 1 1 0506 1 330/https://secure.efT.org/site/Advocacy?cmd=display&page=UserAction&id=420) ) 
a  A  list  of  all  Whitehouse  and  senior  federal  government  employees  holding  dual  citizenship  and  the  countries  they  represent. 

Military  and  Intelligence 

b  The  SlOP 

a  OPLAN/CONPLAN  8022,  2003  revision. 
b  OPLAN/CONPLAN  8044,  2007  revision. 

a  CIA  detainee  interrogation  videos.  While  the  CIA  claims  to  have  destroyed  92  of  the  videos,  others  are  known  to  remain, 
a  The  US  "Black  Budget",  from  inception  to  present,  with  line  items,  hopefully  annotated  and  explained, 
a  Detainee  abuse  photos  withheld  by  the  Obama  administration, 
a  Wiretapping  program  led  by  NSA 

b  Brief:  Correspondence  between  the  National  Security  Agency  and  American  telecom  companies  such  as  AT&T,  Verizon, 
and  Qwest,  regarding  the  wan  antless  wiretapping  program.  Correspondence  involving  telecoms  who  cooperated  with  the 
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NSA  (e  g.  AT&T)  may  give  different  information  than  telecoms  who  refused  (e  g.  Qwest),  but  both  types  would  better  shed 
light  on  the  NSA's  program.  The  existence  of  this  correspondence  is  well  documented  in  the  media,  for  example  that 
Qwest's  lawyers  refused  to  cooperate  because  the  FISA  Court  had  not  signed  off  on  it. 

■  Entity:  NSA  (http://web.archive.org/web/20091 105061330/http://www.nsa.gov/) 

■  Entity:  Qwest  (http://web.archive.org/web/20091 10506l330/http://www.qwest  com/) 

■  Entity:  AT&T  (http://web.archive.org/web/20091 105061330/http://www.att.com/) 

■  Entity:  Verizon  (http://web.archive.org/web/20091 1 0506 1330/http://www. verizon.com/) 

■  Unredacted  copy  of  Dept  of  Justice's  Office  of  Inspector  General’s  "A  Review  of  the  FBI' s  Actions  Connection  With  Allegations 
Raised  By  Contract  Linguist  Sibel  Edmonds'1  July  1,  2004  (redacted  version  here  http://www.wbez.org/FlLES/sibel  pdf ) 

■  Camp  Delta  (Guantanamo)  Standard  Operating  Procedure  2005-2009. 

■  Iraq  US  Army  Rules  of  Engagement  2007-2009  (SECRET). 

■  Unredacted  Inquiry  into  the  Treatment  of  Detainees  in  US  Custody,  20  Nov  2008. 

■  Memorandum  between  the  CIA  and  the  Department  of  State  detailing  any  constraints  on  Darfur  policy  caused  by  actual  or 
anticipated  Sudanese  government  cooperation  on  counter-terrorism,  including  CIA  request  to  USUN  that  Salah  Gosh  be  removed 
from  the  UN  Panel  of  Experts  list  of  those  recommended  for  sanction.  See:  http://www.sudantribune.com/article.php3? 
id_article=  10205 

■  Department  of  State  and  CIA  contributions  to  the  Obama  Administration's  2009  Sudan  Policy  Review,  in  particular  with  respect 
to:  a)  Whether  to  support  the  ICC  arrest  warrant  against  Sudanese  President  Bashir;  b)  whether  to  take  a  confrontational  or  an 
appeasement  approach  to  the  Sudanese  government  on  the  issue  of  Darfur. 

■  Camp  Delta  (Guantanamo)  Standard  Operating  Procedure  2005-2009. 

■  Camp  Delta  (Guantanamo)  Interrogation  Standard  Operating  Procedure  2003-2009. 

■  Correspondence  between  the  National  Security  Agency  and  American  telecom  companies  such  as  AT&T,  Verizon,  and  Qwest, 
regarding  the  warrantless  wiretapping  program.  Correspondence  involving  telecoms  who  cooperated  with  the  NSA  (e  g.  AT&T) 
may  give  different  information  than  telecoms  who  refused  (e.g.  Qwest),  but  both  types  would  better  shed  light  on  the  NSA's 
program.  The  existence  of  this  correspondence  is  well  documented  in  the  media,  for  example  that  Qwest's  lawyers  refused  to 
cooperate  because  the  FISA  Court  had  not  signed  off  on  it. 

■  Iraq  and  Afhanistan  US  Army  Rules  of  Engagement  2007-2009  (SECRET). 

■  C1A/DIA/NGA/NSA  analyses  of  the  VRYAN  crisis  of  1983. 

■  Technical  specifications  of  the  KH-I 1  and  follow-on  satellites  with  similar  capabilities. 

■  The  contents  of  the  Football,  and  how  they  changed  over  the  years  during  the  different  Administrations 

■  What  Pollard  stole  and  gave  to  the  Mossad,  the  full  text. 

■  US  psychological  profiles  and  political  analyses  of  Soviet  leaders. 

■  Documents  relating  to  orbital  weapons  systems,  and  whether  the  US  ever  deployed  them  (or  still  deploy  them)  such  as  orbital 
HANE  devices. 

■  Information  about  the  PAN  satellite  and  the  agency  responsible  for  it  http://spaceflightnow.com/news/n0905/26milspace/ 

■  Commander  Directed  Report  of  Investigation  Concerning  an  Unauthorized  Transfer  of  Nuclear  Warheads  Between  Minot  AFB, 
North  Dakota  and  Barksdale  AFB,  Louisiana  -  30  August  2007  (S//FRD//MR) 

■  Investigation  into  the  Shipment  of  Sensitive  Missile  Components  to  Taiwan  (ADM  Donald  Report)  -  22  May  2008 
(S//FR  D//NOF  ORN) 

■  Air  Force  Comprehensive  Assessment  of  Nuclear  Sustainment  (CANS)  -  July  2008  (S//FRD//NOFORN) 

■  General  Order  Number  One  issued  by  commanders  in  Iraq  and  Afghanistan 

■  Reports  about  Colombian  'falsos  positives' 

■  Unredacted  copy  of  Dept  of  Justice's  Office  of  Inspector  General's  "A  Review  of  the  FBI' s  Actions  Connection  With  Allegations 
Raised  By  Contract  Linguist  Sibel  Edmonds"  July  I,  2004  (redacted  version  here  http://www.wbez.org/FlLES/sibel.pdf) 

■  All  secret  annexes  for,  attachments  to,  unredacted  versions  of,  and  documents  implicitly  or  explicitly  referenced  in  the 
following  documents,  which  may  be  partially  available  in  unclassified  form: 

■  National  Security  Presidential  Directive  5 1 ,  "National  Continuity  Policy",  May  9,  2007,  also  known  as  Homeland 
Security  Presidential  Directive  20 

■  Federal  Preparedness  Circular  65,  "Federal  Executive  Branch  Continuity  of  Operations  (COOP)",  July  26,  1999 

■  Federal  Response  Plan  [FEMA  9230. 1 -PL],  April  1999 

■  Presidential  Decision  Directive  67,  "Enduring  Constitutional  Government  and  Continuity  of  Government 
Operations",  October  21,1 998 

■  Presidential  Decision  Directive  63,  "Critical  Infrastructure  Protection  (C1P)",  May  22,  1998 

■  Presidential  Decision  Directive  62,  "Protection  Against  Unconventional  Threats  to  the  Homeland  and  Americans 
Overseas",  May  22,  1 998 

■  FPC  65  Federal  Response  Planning  Guidance  01-94,  "Continuity  of  Operations  (COOP)",  December  4,  1994 

■  PDD  67  National  Security  Directive  69,  "Enduring  Constitutional  Government",  June  2,  1992 

■  FPC  65  Federal  Preparedness  Circular  61.  "Emergency  Succession  to  Key  Positions  of  the  Federal  Departments  and 
Agencies",  August  2,  1991 

■  Federal  Preparedness  Circular  62,  "Delegation  of  Authorities  for  Emergency  Situations",  August  I,  1991 

■  Federal  Preparedness  Circular  60,  "Continuity  of  the  Executive  Branch  of  the  Federal  Government  at  the 
Headquarters  Level  During  National  Security  Emergencies",  November  20,1990 

■  National  Security  Directive  37,  "Enduring  Constitutional  Government",  April  18,  1990 

■  Executive  Order  12656,  "Assignment  of  Emergency  Preparedness  Responsibilities",  November  18,  1988 

■  Executive  Order  12472,  "Assignment  of  National  Security  and  Emergency  Preparedness  Telecommunications 
Functions",  April  3,  1984 

■  NSD  69  NSDD  55,  "Enduring  National  Leadership"  September  14,  1982 

■  Executive  Order  12148,  "Federal  Emergency  Management",  July  20,  1979 
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■  A  list  of  the  actual  facilities  in  the  Federal  Relocation  Arc,  as  of  the  present  time,  along  with  their  locations. 

■  Blueprints,  maps,  and  floor  plans  of  MWEOC. 

■  Blueprints,  maps,  and  floor  plans  of  Site  R  (Raven  Rock). 

■  Blueprints  and  floor  plans  of  all  unmeniioned  facilities  in  the  Federal  Relocation  Arc,  including  historical  ones. 


Banking 

■  The  complete  list  of  identities  of  the  52,000  wealthy  American  clients  suspected  of  hiding  $15  billion  at  UBS  to  avoid  taxes, 
including  the  names  of  any  elected  or  appointed  government  or  former  government  officials. 

■  The  complete  details  of  Goldman,  Sachs  &  Co.'s  counterparty  exposure  to  A1G  prior  to  the  Federal  bailout  of  A1G  in  September, 
2008. 

Environment 

■  Monsanto's  internal  evaluations  of  GMO  products  including  safety  and  pollen  drift. 

Media 

■  The  Editorial  Guidelines  for  Fox  News 

■  Emails  relating  to  suppressed  GQ  Magazine  article  on  Putin's  rise  by  Scott  Anderson  mentioned  at  [6] 
(http://web.archive.org/web/2009l  1 0506 1330/http://www  npr.org/templates/story/story. php?storyld=  I 12530364) 

Religion 

■  Mormons  Church  records 

■  With  recent  leak  of  1999/2006  Church  Handbook  of  Instructions,  pertinent  documents  and  covertly  photographed  artifacts 
in  the  vault  at  Church  Office  building  or  subsidy  in  Salt  Lake  City,  Utah  which  expose  and  negate  Mormon  Church's  claim 
of  divinity  and  its  monopoly  on  "truth."  l.e.  the  concealed  remnants  of  diaries  and  letters  written  by  former  early  Mormon 
apostle  William  McLellin  [7]  (http://web.archive.org/web/2009l  105061330/http://en.wikipedia.org/wiki/William_E._M% 
27Lellin*Personal_writings)  McLellin  diary  and  documents  was  the  main  point  of  interest  for  convicted  double 
murderer/bomber  Mark  Hofmann's  planned  forgery  attempt  to  deceive  Mormon  leaders  to  obtain  in  fraud  by  deception 
monetary  reward  to  suppress  truth  of  early  Mormon  history  unfavorable  to  current  Mormon  religion  For  more  info,  [8] 
(http://web.archive.org/web/20091 10506l330/http://www.utlm.org/onlinebooks/trackingch3.htm) . 

■  Documents  of  Mormon  Church's  billion-dollar  investment  in  City  Creek  Mall  and  Condominium  in  SLC,  which  may  put 
Mormon  Church's  IRS  tax-exempt  status  in  jeopardy  if  there  is  verification  of  the  allegation  the  Church  used  tithe  and 
offering  monetary  contributions  by  the  members  to  fund  the  project  under  the  umbrella  of  tax-exempted  religious  freedom. 

■  Mormon  Church  leadership's  involvement  in  politics,  such  as  correspondence  to  ecclesiastical  subordinates  (bishopric)  on 
policy  and  attitude  towards  same-sex  civil  rights  &  other  sensitive  issues  relevant  and  concerning  to  the  leaders.  As  well  as 
recorded  correspondences  between  Mormon  members  of  Utah  legislation  and  Church  leaders  on  sensitive  political 

issu Italic  lexies  for  legislation  purposes  which  may  contravene  the  separation  of  church  and  state. 

■  Uncovered  film  or  audio  recording  featuring  the  play  with  the  actor  portraying  Protestant  minister  encouraged  by 
Satan/Lucifer  (portrayed  by  actor)  to  spread  false  doctrines  to  attack  all  religions  outside  of  Mormon  religion  as 
"abominable"  which  was  exhibited  for  qualified  "temple  recommend"  audiences  in  all  of  the  existing  temples  prior  to 
removal  in  1990  (almost  like  leaked  Scientology  orientation  video)  [9] 

(http://web.archive.org/web/2009l  10506 1330/http://www.exmormon.org/mormon/mormon288.htm) . 

■  Unearthed  secret  audio  or  video  recording  inside  Mormon  temple  with  the  temple  members  swearing  "blood  oath"  before 
removal  in  1990.  [10]  (http://web.archive.org/web/20091  l0506l330/http://en.wikipedia.org/wiki/Blood_oath_ 

(Latter  Day  Saints)) 

■  Documented  Church  leaders'  and  lay  clergy's  cover-up  of  physical/sexual  abuse  and  rape  of  minors  by  missionaries  and 
members  without  reporting  to  law  enforcement  in  some  cases  [11] 

(http://web.archive.org/web/2009l  10506l330/http://www.exmormon.org/mormon/mormon384.htm) . 

■  Older  editions  of  Church  Handbooks  of  Instructions  from  the  first  edition  up  [12] 

(http://web.archive.org/web/20091 10506l330/http://en. wikipedia.org/wiki/Church_Handbook_of_lnstructions*  History)  for 
comparison  to  recent  leaked  1968  (truncated),  1999  and  2006  editions. 


Vatican 

■  Vatican  secret  archives 

■  Brief:  The  Index  of  the  Vatican  Secret  Archive.  At  present  pre-screned  scholars  are  allowed  to  see  it  but  not  copy  it  (under 
scholar  rule  *16  http://asv.vatican.va/en/fond/amm.htm) 

■  Vatican's  documents  on  nazi  Germany 

■  Brief:  All  documents  pertaining  to  Nazi  Germany  and  the  Vatican,  as  well  as  those  relating  to  the  post-war  rat  line  to 
Argentina.  Refer  to  http://news.bbc.co.Uk/2/hi/europe/26l  1847. stm 

International  organizations 

■  Bilderberg  Group 
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■  Brief:  Bilderberg  Group  meeting  minutes,  papers  and  annual  reports  of  since  1954.  WikiLeaks  has  some  years  already. 
Bilderberg  is  an  annual  off-the  record  conference  of  transatlantic  political,  economic  and  ideological  agenda  setters.  As  an 
historically  important  confidential  document  collection  it  is  probably  only  equaled  by  Cabinet  minutes  and  high  level 
intelligence  and  diplomatic  assessments.  Leads:  There  are  some  older,  previously  unnoticed  records  in  boxes  at  Uni  of 
Illinois  http://www.library.illinois.edu/archives/uasfa/l535051.pdf  (1956-1970)  the  George  Bush  library, 
http://bushlibrary.tamu.edu/research/finding_aids/pdfs/08-0379-F.pdf  and  the  Eisenhower  Library  in  Kansas 
http://www.eisenhower.utexas.edu/Research/Finding_Aids/PDFs/Jackson_CD_Records.pdf 

■  Entity:  Bilderberg  Group  (http://web.archive.org/web/20091 10506 1 330/http://en. wikipedia.org/wiki/Bilderberg_Group) 

■  Alliance  Base 

■  Brief  Documents  regarding  the  founding  and  operation  of  Alliance  Base 
(http://web.archive.org/web/2009 1 1 0506 1 330/http://en.  wikipedia.org/wiki/AIIiance_Base) . 
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35  International  organizations 


Austria 


•  Austrian  e-Voting  system  used  in  students  elections. 

•  Date:  18  May  2009 

•  Brief:  We  seek  for  details  about  Austrian  voting  system  used  in  students  elections,  which  includes  but  is  m 
certifications. 


:  limited  to  source  code  and  i 


•  Entity 

•  Entity 

•  Entity 

•  Entity 


Scvtl  (programming) 


Ministry  of  Science  (initiator) 
Robert  Krimmer  (consulting) 


•  E-Mail  traffic  between  Josef  PrOII  and  Christian  Konrad. 

•  Date:??? 

•  Brief:  E-Mail  traffic  between  minister  of  finance  Josef  Prftll  and  Christian  Konrad,  who  is  advocate  general  of  Raiffeisen  bank. 
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•  Entity:  Josef  PrOU  (josef.proell@btnf.gv.at ) 

•  Entity:  Christian  Konrad 

•  E-Mail  traffic  of  Anton  Mabdalik  with  Michael  HSupl  and/or  Michael  Ludwig 

-  Date:  ??? 

•  Brief:  E-Mail  traffic  of  FPO  delegate  Anton  Mahdalik  with  Viennese  mayor  Michael  HSupl  and/or  deputy  mayor  Michael  Ludwig 
containing  threats  when  renting  municipal  ground  to  the  Viennese  trailor  park  ("Wagenplatz  Wien"). 

•  Entity:  Anton  Mahdalik  (toni.mahdalik@fpoe.at ) 

-  Entity:  Michael  HSupl  (michael.haeupl@wien.gv.at ) 

Australia 

•  ACMA  URL  blacklist 

-  Date:  19  March  2009  and  later 

•  Brief:  Versions  of  the  ACMA  URL  blacklist  newer  than  19  March  2009.  WikiLeaks  previously  released  three  versions  of  the  list,  two  of 
which  included  WikiLeaks  or  its  subpages. 

"  Entity:  Australian  Communications  and  Media  Authority 

•  Censorship  technology  in  Australia 

•  Date:  2009 

•  Entity:  Australian  Communications  and  Media  Authority 

•  Entity:  Enex  Testlabs 

•  Entity:  Watchdog  NZ 

°  Entity:  [www.iwf.org.uk  Internet  Watch  Foundation] 

•  Entity:  Exetel  ISP 

•  Brief:  Full  details  of  filtering  hardware/software  vendors  participating  in  government-sponsored  ISP-level  censorship  technology  trials, 
including  (but  not  limited  to): 

■  Any  and  all  communications  between  filter  vendors  and  government  departments  prior  to,  during,  and  after  the  trials 

■  Any  and  all  transactions,  contracts,  and  other  financial  arrangements  involving  filter  vendors 

•  Details: 

■  URL  blacklists)  used  during  above  trials.  Alleged  (by  government)  to  be  ACMA  URL  blacklist. 

■  Full  statistical  breakdown  of  results  of  above  trials  (in  the  event  that  Enex  Testlabs  do  not  make  them  publicly  available). 

■  URL  blacklist  as  used  by  Watchdog  NZ  during  private  censorship  technology  trial  by  ISP  Exetel  in  May  2009.  Alleged  (by 
Watchdog)  to  have  been  IWF  list  (see  United  Kingdom). 

■  Full  statistical  breakdown  of  results  of  Watchdog/Exetel's  censorship  technology  trial  -  Exetel's  official  response  seems  lacking. 

•  Annual  NSW  Police  test 

•  Brief:  Written  exam  NSW  police  officers  must  take  annually  before  they  can  be  issued  with  Tasers. 

•  Entity:  NSW  Pplicg 

Bahrain 


*  Documents  regarding  changes  to  country's  demography. 

•  Brief:  Documents  disclosing  the  number  of  citizenships  that  have  been  granted  in  the  last  few  years,  in  an  effort  to  change  the  country's 
demography.  See  Political  naturalisation!  11. 

Belgium 

•  Document  regarding  quality  audits  of  Belgian  hospitals 

•  Brief:  Documents  disclosing  the  fatality  rates  of  specific  procedures  and  illnesses  per  hospital.  Indicating  statistically  significant 
differences  in  survival  chances  between  hospitals. 


China 


•  Golden  Shield  Project 

•  Brief:  A  list  of  URLs  and  keywords  censored  filtered  by  the  Golden  Shield  Project  (Great  Firewall  of  China).  WikiLeaks  has  previously 
released  related  information,  for  example,  watch  lists,  policies  and  several  thousand  URLs  for  CCTV  and  Baidu,  but  not  for  general  http 
filtering. 

•  Entity:  Ministry  of  public  security 

■  Genocide  Olympics  campaign 

•  Date:  28th  March  2007 

•  Brief:  Policy  options  on  Darfur  formulated  in  response  to  the  so-called  Genocide  Olympics  campaign  led  by  American  actress,  Mia 
Farrow,  and  notes  of  meetings  in  2007  between  Stephen  Spielberg  and  Chinese  Foreign  Ministry  officials  prior  to  Spielberg's 
resignation  as  Artistic  Director  of  the  2008  Beijing  Olympics. 
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Colombia 


•  Surveillance  of  citizens  and  organisations 

•  Brief:  The  DAS  (Depaitamento  Administrative  de  Seguridad)  is  reported  to  have  surveilled  a  wide  array  of  public  officials,  private 
citizens,  and  organizations.  Documents  wanted:  contracts  to  supply  software  for  internet  surveillance  to  Colombian  policy  agencies  and 
details  of  the  software  supplied. 

•  Entity:  DAS 


Finland 

•  Tiitisen  Lista 

•  Brief:  The  so  called  Tiitisen  Lista,  the  list  of  18  persons  claimed  to  have  been  in  active  contact  with  East  German  security  services 
(Stasi).  The  list  was  received  from  the  West  German  intelligence  services  (BND)  in  1990  and  since  classified  by  the  order  of  President 
Koivisto  as  adviced  by  the  head  of  the  Finnish  Security  Police  (Suojelupoliisi),  Seppo  Tiitinen.  It  is  rumoured  that  several  current  or 
former  top  Finnish  politicians  appear  on  the  list. 

•  Entity:  Stasi 

•  Entity:  Koivisto 

"  Entity:  Suojelupoliisi 


France 

•  Nicholas  Sarkozy'  health  report 

0  Brief:  The  Monthly  Health  Report  of  President  Nicolas  Sarkozy,  as  promised  by  himself  during  the  last  presidential  elections. 

Germany 

■  Censorship  in  Germany 

•  Details: 

■  The  censorship  filter  list  for  the  proposed  national,  mandatory  censorship  system.  The  list  will  be  compiled  by  German  federal 
criminal  police  BKA  and  distributed  to  internet  service  providers. 

■  The  contents  of  the  contract  between  the  BKA  and  some  ISPs  that  has  already  been  signed,  but  is  kept  secret  due  to  "public 
safety"  and  copyright  concerns  (see  http://bloa. fefe.de/? ts=b4fa8af8j. 

■  The  List  of  Media  Harmful  to  Young  People  (the  censorship  system  already  in  place).  The  "virtual  media"  part  of  this  list  is 
distributed  to  search  engine  providers  and  is  illegal  to  publish.  It  probably  could  be  reverse  engineered  using  the  differences 
between  google.com  and  google.de  search  results.  Also,  if  you  want  to  know  if  a  specific  medium  is  on  the  list,  you  can  send  an 
enquiry  to  liste@bundesDruefstelle.de  rBundesprtlfstelle"  is  the  agency  responsible  for  keeping  the  list). 

0  Entity:  Bundesprufstelle 

•  Entity:  BKA 

•  Politician's  Stasi  files 

•  The  Stasi  files  of  Federal  Chancellor  Angela  Dorothea  Merkel  (maiden  name  Kasner)  and  other  leading  politicians,  which  are  known  to  exist, 
but  withheld  from  public 

•  Operation  Gladio 

•  Brief:  The  Stasi  files  relating  to  operation  Gladio  /  stay  behind  organisations  in  relation  to  right-wing  terrorism  in  Germany,  as  per  a 
parliamentary  request  by  the  Green  party. 

•  Atlas  Der  Wut 

•  Brief:  The  so  called  "Atlas  der  Wut",  a  document  about  the  risk  of  riots  in  different  german  regions.  The  list  is  said  to  be  updated 
regulary  and  was  first  written  in  2005. 

•  The  list  of  NPD  party  members 

Greece 

The  Athens  Affair 

•  Brief:  Documents  related  to  the  Athens  phone  tapping  affair  that  have  yet  to  be  released  (including  those  from  countries  other  than  Greece) 
Context 

Guatemala 

•  Plan  Victoria  82,  Plan  Sofia  and  Plan  Fermeza  83 

•  Brief:  All  documents  on  Plan  Victoria  82,  Plan  Sofia  and  Plan  Firmeza  83. 

•  Detail: 
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Within  the  process  of  trying  to  bring  military  personal  involved  in  human  rights  violations  and  massacres  that  happen  during  the  civil 
war  in  Guatemala  to  justice,  the  military  have  been  required  to  declassify  many  war  documents.  In  a  case,  that  went  all  the  way  to  the 
Supreme  Court  of  Guatemala,  the  Court  dictated  a  sentence  that  confirmed  the  obligation  of  the  Ministry  of  Defense  of  Guatemala  to 
hand  over  the  official  documentation  of  four  specific  military  operations:  Campana  Sofia  82,  Victoria  82,  Firmeza  83  and  Operacion 
Ixil.  The  Supreme  Court  sentence  indicated  that  the  archives  had  to  be  declassified. 

These  military  operations  were  carried  out  in  the  80s.  According  to  the  CEH,  Historical  Clarification  Commission  of  Guatemala  final 
report  contained  in  "Guatemala:  Memory  of  Silence",  these  military  operations  resulted  in  massacres  and  severe  human  rights 
violations. 

The  Minister  of  Defense  Abraham  Valenzuela  only  delivered  partial  information  about  plans  Victoria  82  and  Firmeza  83,  two  of  the 
four  requested  plans.  He  indicated  that  he  had  no  knowledge  of  the  other  two  plans  before  he  became  Minister  of  Defense  and  that  he 
ignores  where  the  documentation  could  be.  He  stated  that  he  could  not  deliver  the  complete  plans  "Victoria  82"  y  "Firmeza  83"  because 
certain  information  was  considered  state  secret  and  a  concern  of  national  security. 

"Plan  Sofia",  a  derivative  of  "Plan  Victoria  82",  was  of  special  concern  to  human  rights  activists;  this  plan  was  conceived  in  July  1982, 
four  months  after  General  Effain  Rios  Monti  came  into  power. 

•  The  CEH  archives 

•  Brief:  Final  report  of  United  Nations'  Historical  Clarification  Commission  (CEH)  into  the  killing  of  200,000  Mayan  people  and  the 
involvement  of  the  US  government  and  American  corporations.  The  report  official  sources  (military  interviews,  campaign  plans,  etc)  are 
kept  secret  by  the  UN  in  NYC. 

•  Detail: 

The  United  Nations'  Historical  Clarification  Commission  (CEH)  for  Guatemala  issued  a  report  where  the  US  government  and  several 
American  corporations  were  accused  of  complicity  in  the  genocide  of  nearly  200,000  Mayan  people  during  Guatemala?s  bloody  36-year 
civil  war.  The  final  3,600-page  CEH  report  clearly  places  the  blame  for  most  of  the  200,000  deaths  on  the  "racist"  policy  of  the 
Guatemalan  government  and  holds  the  country?s  military  and  paramilitary  forces  responsible  for  the  actual  killings,  tortures  and 
disappearances. 

However,  it  accuses  the  US  of  directly  and  indirectly  supporting  a  "fratricidal  confrontation"  by  providing  sustained  training,  arms  and 
financial  aidThe  report  is  based  on  the  testimony  of 9,200  people  from  all  sides  of  the  conflict  and  other  documents*,  classified  and 
Secret,  protected  in  the  UN  headquarters  in  NYC.  The  CEH  investigated  42,000  human  rights  violations,  29,000  of  which  resulted  in 
deaths  or  disappearances  and  therefore,  the  documents  under  UN  custody  are  fundamental  for  the  prosecution  of  those  responsible  of  the 
crimes. 


*  Goldcorp  affair 

•  Brief:  *  Documents  on  Canadian  corporation  named  Goldcorp  with  a  mining  operation  in  Guatemala,  especially  information  on  where 
the  Gold  they  extract  is  processed  and  who  is  buying  the  gold  (we  think  it  might  be  a  Swiss  company). 

°  Detail:  A  Canadian  corporation  named  Goldcorp  has  a  mining  operation  in  Guatemala  with  poor  environmental  conditions  and  harming 
health  of  many  workers  and  a  community  as  a  whole.  Where  die  Gold  they  extract  is  processed?  Who  is  buying  the  gold  (we  think  it 
might  be  a  Swiss  company)? 


Italy 

•  Italian  censorship  list 

0  Brief:  The  full  Italian  censorship,  of  which  Wikileaks  currently  only  has  a  subset. 


Kenya 

■  Reports  on  high  level  corruption  in  Kibaki  government 

•  Brief:  The  international  investigative  firm  Kroll  associates  produced  at  least  four  reports  on  high  level  Kenyan  corruption  after  first  term 
of  the  Kibaki  government.  A  draft  version  of  one  of  the  reports  The  looting  of  Kenya,  was  previously  published  by  WikiLeaks.  The 
reports  were  given  to  selected  members  of  President  Kibaki's  cabinet  at  the  time  and  are  likely  still  held  by  http://www.kroH. com.uk/. 
notably  lead  investigator  Andrew  Marshall. 

•  Entity:  President  Kibaki 

•  Entity:  Kroll 

Libya 

•  Arrangements  with  the  Sudanese  government 

•  Brief:  Documents  indicating  arrangements  with  the  Sudanese  government  to  grant  land  in  Darfur  to  Arab  settlers  from  Libya  (Civilians 
and  adminisrators  on  the  gruond  in  Darfur  indicate  this  has  been  taking  place). 


Madagascar 


Both  sides  of  the  political  conflict  in  Madagascar  are  crying  fouls  about  the  deals  made  by  their  counterparts  with  foreign  entities.  The  release  of  the 


to  contract  negotiations  about: 
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•  Oil  exploitation  in  the  region  of  Bemolanga  (  South  of  Madagascar)  by  Total  &  others 

*  Detail:  Oil  and  Gas  in  Madagascar  -  Industry  Overview.  Infos  on  Total  licensing 

•  an  obvious  one  but  the  proposed  final  contract  before  rejection  of  the  land  deal  with  Daewoo  Logistics. 

•  The  recent  agreement  with  Saudi  investment  group  on  staple  products  and  proposed  $2  billion  USD  investment. 

•  The  revised  mining  exploitation  agreement  with  Sheritt  in  Ambatovy  and  Rio  Tinto  in  Fort-Dauphin. 

•  Least  but  not  last,  the  complete  list  of  current  political  prisoners  and  the  charges  against  them. 

Mali 

■  Arrangements  with  the  Sudanese  government 

"  Brief:  Documents  indicating  arrangements  with  the  Sudanese  government  to  grant  land  in  Darfur  to  Arab  settlers  from  Mali  (Civilians 
and  adminisrators  on  the  gruond  in  Darfur  indicate  this  has  been  taking  place). 


Mexico 

■  Agreements  between  USA  and  Peter  Herlihy 

•  Brief:  Zapotec  indigenous  people  demand  transparency  from  U.S.  Scholar  and  full  disclosure  of  all  the  agreements  between  U.S. 
Government  and  their  agencies  and  U.S.  geography  scholar  Peter  Herlihy,  especially  confidential  agreements  with  Foreign  Military 
Studies  Office.  Prof.  Herlihy  failed  to  mention  that  he  received  funding  from  the  Foreign  Military  Studies  Office  of  the  U.S.  Armed 
Forces  on  the  research  of  "Mexico  Indigena"  project.  Mexico  Indigena  Project  forms  part  of  the  Bowman  Expeditions,  a  more  extensive 
geographic  research  project  backed  and  financed  by  the  FMSO,  among  other  institutions.  The  FMSO  inputs  information  into  a  global 
database  that  forms  an  integral  part  of  the  Human  Terrain  System  (HTS),  a  United  States  Army  counterinsurgency  strategy  designed  by 
Foreign  Military  Studies  Office  and  applied  within  indigenous  communities,  among  others. 

•  Entity:  FMSO 

•  Entity:  Peter  Herlihy 

•  Ruta  Maya  2002  Isuzu  Challenge 

•  Brief:  Documents  to  unveil  the  real  purpose  of  "Ruta  Maya  2002  Isuzu  Challenge".  The  convoy  was  commanded  by  Ben  Nun  Avihu, 
Israeli  militar  and  Moshe  Savir,  geography  expert  and  around  50  tourists  in  40  Isuzu  Jeep.  Some  communities  linked  the  incursion  with 
biopiracy.  The  terrain  they  explored  is  controled  by  the  EZLN. 

•  Entity:  Ben  Nun  Avihu 

•  Entity:  Moshe  Savir 

•  Entity:  EZLN 

•  Corruption  around  FOBAPROA 

•  Brief:  Documents  related  with  the  fraud  and  corruption  around  FOBAPROA  (Fondo  Bancario  de  Proteccidn  al  Ahorro). 

•  Entity:  FOBAPROA  1 2 

•  Financial  operations  before  crisis 

•  Documents  of  financial  operations  just  before  the  financial  crisis  of  1994  (some  say  the  government  knew  before  that  the  crisis  was 
coming  and  took  advantage  of  the  information  protecting  their  interests). 

•  World  Bank  credit 

«  Brief:  Documents  related  with  the  World  Bank  credit  and  application  of  the  budget  to  combat  swine  flu. 

•  Entity:  World  Bank 

•  Renault  program 

•  Brief:  Documents  related  with  the  technology  currently  used  in  cellphones  in  Mexico  to  implement  the  RENAUT  program  Information 
about  the  security  technology  used  to  protect  data  collected  from  users. 

•  Plan  Merida 

•  Brief:  Documents  related  to  the  transparency  of  Plan  Merida 


Niger 


*  Arrangements  with  the  Sudanese  government 

•  Brief:  Documents  indicating  arrangements  with  the  Sudanese  government  to  grant  land  in  Darfur  to  Arab  settlers  from  Niger  (Civilians 
and  adminisrators  on  the  gruond  in  Darfur  indicate  this  has  been  taking  place). 


Norway 


•  Court  case  between  Lyse  Tele  and  Simonsen 

•  Brief:  The  secret  verdict  in  the  court  case  between  the  ISP  Lyse  Tele  and  the  law  firm  Simonsen,  decided  the  5th  of  May  2009,  where 
Simonsen  demanded  Lyse  Tele  disclose  the  identity  information  of  a  file  sharer  suspected  of  uploading  a  copy  of  the  movie  Max  Manus 
to  the  file-sharing  community. 

•  Entity:  Lvse  Tele 

•  Entity:  _ _ 

- FJT7MU  V. 
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Poland 

*  IPN  Files 

•  Brief:  IPN  (Instytut  Pami^ci  Narodowej)  is  an  organisation  created  for  investigation  and  gathering  of  informations  regarding  crimes 
against  polish  citizens  in  the  timeline  of  22  july  1 944  to  3 1  december  1989.  Gathered  documents  are  often  related  to  politicans,  high- 
ranked  military,  priests  et  cetera,  but  for  some  reason  are  not  available  for  anyone;  they  are  instead  used  as  political  weapon  against 
one's  enemies,  revealing  working  as  an  agent  for  SB  (Shiiba  Bezpieczeftstwa)  in  the  above  timeline.  For  two  main  reasons  ALL  data 
should  be  available  FOR  ANYONE.  First,  it  would  no  longer  be  used  as  political  weapon;  second,  all  people  would  know  about  past  of 
all  public  people.  Transparency  is  the  key  for  healthy  government. 

•  Entity:  IPN 

•  Entity:  SB 

Puerto  Rico 

*  FBI  surveillance  of  Puerto  Rico  citizens 

"  Brief:  The  FBI  has  not  yet  finished  declassifying  all  the  secret  files  related  to  surveillance  of  Puerto  Rican  individuals  and  organizations 
from  the  1930-70’s  http://www.Dr-secretfiles.net/index.html  (not  to  mention,  large  sections  of  the  files  are  blacked  out  by  the  FBI).  In 
addition,  there  are  thousands  of  secret  files  produced  by  Puerto  Rican  police  that  were  only  briefly  made  available  to  individuals 
themselves,  and  have  now  been  closed  off  to  the  public.  These  documents  provide  evidence  of  quite  a  significant  spying  and 
intimidation  operation  by  the  United  States  and  local  police  against  leftists  and  independence  movement  leaders. 

•  Entity:  FBI 

Rwanda 

*  Financial  aid  for  Laurant  Nkunda 

»  Brief:  Documentation  of  financial  assistance  given  by  the  Rwandan  government  to  General  Laurant  Nkunda  for  operations  in  the  DRC. 

0  Entity:  Laurent  Nkunda 


Russia 

•  VRYAN  crisis  documentation 

•  Brief:  Documents  related  to  the  VRYAN  crisis,  especially  political  documents,  analyses  of  intelligence,  and  specific  steps  taken. 
Information  on  the  mindset  of  the  Politburo,  as  well  as  intelligence  services,  and  what  exactly  they  feared,  and  how  credible  they 
believed  their  fear  to  be. 

•  Maps  for  Kremlin  and  military  hideouts 

•  Brief:  Maps,  floor  plans,  and  blueprints  of  Mount  Yamantaw  and  Kosvinsky  Mountain. 

•  Technology  analysis 

•  Brief:  Technical  plans,  manuals,  and  blueprints  for  the  SS-27  Sickle  B  (Topol-M),  along  with  the  Bulava. 

•  Brief:  Documents  relating  to  nuclear  warplans  of  the  Soviet  Union  and  Russia. 

•  Brief:  Documents  relating  to  orbital  weapons  systems,  and  whether  the  Soviets  ever  deployed  them  (or  still  deploy  them)  such  as  orbital 
HANE  devices. 

•  Brief:  A  list  and  description  of  the  various  agents  prepared  by  the  various  Soviet  and  Russian  bioweapons  programs.  Indications  of 
whether  they  developed  recombinant  DNA  based  agents,  and  what  those  are  specifically.  Weaponization  of  agents,  including  re-entry 
vehicle  mounting.  Doctrine  for  use,  including  deniable  use.  Vaccines  and  treatments  for  affected  personnel. 

Slovenia 


*  Taped  conversations  between  Slovenian  opposition  leader  and  Croatian  PM 

•  Brief:  Taped  conversations  between  Slovenian  opposition  leader  Janez  Jansa  and  Croatian  prime  minister  Ivo  Sanader,  recorded  by 
Slovenian  intelligence  service  SOVA. 

•  Date:  Summer  2004 

•  Entity:  Janez  Jansa 

•  Entity:  Ivo  Sanader 

•  Entity:  SOVA 


Sudan 

*  Salah  Gosh  and  the  CIA 

•  Date:  2005 

•  Documents  detailing  discussions  during  2005  meeting  between  Salah  Gosh  and  the  CIA  (for  which  the  CIA  flew  Gosh  on  private  jet 
from  Khartoum  to  CIA  HQ).  See:  http://www.sudantribune.com/article.phD37id  article=  1 0205 

•  Mall  case 
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•  Brief:  Documents  indicating  arrangements  with  the  Sudanese  government  to  grant  land  in  Darftir  to  Arab  settlers  from  Mali  (Civilians 
and  adminisrators  on  the  gruond  in  Darfur  indicate  this  has  been  taking  place). 

•  Libya  case 

-  Brief:  Documents  indicating  arrangements  with  the  Sudanese  government  to  grant  land  in  Darfur  to  Arab  settlers  from  Libya  (Civilians 
and  adminisrators  on  the  gruond  in  Darfur  indicate  this  has  been  taking  place). 

•  Niger  case 

•  Brief:  Documents  indicating  arrangements  with  the  Sudanese  government  to  grant  land  in  Darfur  to  Arab  settlers  from  Niger  (Civilians 
and  adminisrators  on  the  gruond  in  Darfur  indicate  this  has  been  taking  place). 

Syria 

■  Assasination  of  Mebdi  Ben  Barka 

•  Brief:  All  the  documents  related  to  the  assasination,  in  1965,  of  Mehdi  Ben  Barka  still  held  in  France,  USA,  Israel  and  Morocco.  In 
1976,  thanks  to  the  Freedom  of  information  Act,  the  US  govemement  recognized  that  the  CIA  had  about  1800  classified  documents 
about  his  assassination.  Theses  documents  are  still  classified. 

Switzerland 

•  Cornu  Report 

•  Brief:  The  full  Comu  Report.  See  http://en.wikiDedia.ore/wiki/Proiekt-26*The  Comu  Report 


Swaziland 


•  Expense  accounts  of  King  Mswati,  the  Queen  Mother  and  the  King's  wives. 

•  Memos  from  Ministry  of  Defense  or  Police 

•  Brief:  Intelligence  memos  from  the  Ministry  of  Defence  or  Police  about  the  pro-democracy  organization,  PUDEMO. 

«  Entity:  Pudemo 

Trinidad  and  Tobago 

•  Commission  of  Enquiry  reports 

•  Brief:  The  Report  on  the  Commission  of  Enquiry  into  the  construction  of  the  new  Piarco  Airport.  This  identified  corrupt  practices  in  the 
spending  of  public  funds.  The  Commission's  report  was  delivered  in  August  2003.  Nearly  6  years  later,  its  findings  have  not  been  made 
public. 

•  Brief:  Report  of  the  findings  of  the  current  Commission  of  Enquiry  into  the  local  construction  sector 

•  Entity:  Commission  Enquiry 

•  Entity:  Piarco  airport 

•  Caroni  Bridge  collapse 

•  Brief:  The  Report  on  the  Caroni  Bridge  Collapse.  A  man  was  killed  when  a  bridge  collapsed  a  few  years  ago;  again  the  public  has  not 
been  made  aware  of  the  report's  findings. 

•  Date:  2nd  August  2008 

•  Waterfront  Development  Project 

•  Brief:  A  copy  of  the  contract  for  the  billion-dollar  Waterfront  Development  Project. 

°  Entity:  ?udecott? 

•  Scholarships  sponsored  by  Ministry  of  Culture 

•  Brief:  List  of  recipients  and  amounts  of  scholarships  sponsored  by  Ministry  of  Culture  for  study  abroad. 

•  Entity:  Ministry  of  Culture 

»  Detail: 

As  far  as  Trinidad  and  Tobago  goes,  our  government  tends  to  pay  lip  service  to  the  principles  of  transparency  and  accountability.  For 
instance,  there  is  a  Freedom  of  Information  Act  which,  by  law,  allows  the  public  to  seek  information  from  government  departments.  But 
quite  often,  when  such  attempts  are  made  by  the  citizenry,  the  government  bars  lull  disclosure.  Depending  on  how  important  a  piece  of 
information  is  to  Joe  Public,  he  may  actually  have  to  turn  to  the  courts  to  "force"  the  government  to  reveal  facts  that  should  be  disclosed 
voluntarily.  Following  are  a  few  examples  of  documents  that  should  be  made  public,  but  have  not  been: 

•  The  Report  on  the  Commission  of  Enquiry  into  the  construction  of  the  new  Piarco  Airport  This  identified  comipt  practices  in  the  spending  of 
public  funds.  The  Commission's  report  was  delivered  in  August  2003.  Nearly  6  years  later,  its  findings  have  not  been  made  public. 

•  The  Report  on  the  Caroni  Bridge  Collapse.  A  man  was  killed  when  a  bridge  collapsed  a  few  years  ago;  again  the  public  has  not  been  made 
aware  of  the  report's  findings. 
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•  The  Opposition  recently  brought  up  in  Parliament  the  issue  of  taxpayers'  money  being  used  to  pay  attorneys  by  state.  Although  the  public  has 
a  right  to  know  how  much  of  its  funds  were  used  in  paying  said  attorneys,  the  Attorney  General  refused  to  disclose  the  sums,  saying  it  would 
be  an  invasion  of  the  lawyers'  privacy. 

•  The  same  goes  for  a  recent  request  in  Parliament,  whereby  *the  Minister  of  Planning  and  Development  was  asked  to  produce  a  copy  of  the 
contract  for  the  billion-dollar  Waterfront  Development  Project*.  The  Minister’s  response  was  that  she  could  not  produce  said  contract  for 
public  discussion  because  there  was  a  confidentiality  clause  contained  therein  (for  a  project  being  built  with  public  funds). 

•  The  Ministry  of  Culture  recently  awarded  scholarships  for  students  to  study  abroad  -  when  asked  in  Parliament  to  disclose  the  list  of  recipients 
and  the  dollar  value  of  the  scholarships,  the  response  was  that  this  was  private  information. 

Uganda 

•  Ugandan  profit-sharing  agreements  with  oil  companies  in  south-western  Uganda 

•  Brief:  The  government  of  Uganda  has  recently  signed  a  number  of  profit-sharing  agreements  with  several  oil  companies  that  are 
conducting  explorations  in  southwestern  Uganda.  Releasing  these  documents  would  be  a  major  step  in  increased  transparency  with 
respect  to  the  country's  emerging  oil  industry. 

United  Kingdom 

■  Censorship  in  UK 

■>  Brief:  List  of  current  and  expired  D-Notices 

•  Entity:  dnotice 

°  Brief:  secret  gag  orders,  injunctions  and  legal  threats  sent  to  UK  newspapers 

"  Entity:  legal  contact  addresses  at  the  Guardian,  Daily  Mail,  Times,  Independent,  Evening  Standard,  etc. 

■  Brief:  Censorship  list  for  the  United  Kingdom's  "voluntary"  filter  system.  Known  to  be  held  by  The  Internet  Watch  Foundation. 
Companies  and  their  subsidiaries  which  are  currently  being  supplied  with  the  1WF  list.  Most  ISP's  in  the  UK  have  a  copy  of  the  IPs  on 
the  list. 

•  Entity:  The  Internet  Watch  Foundation 


•  Iraq  war  planning 

•  Brief:  The  secret  cabinet  minutes  and  legal  advice  pertaining  to  the  allegedly  illegal  war  and  ongoing  occupation  of  Iraq. 

•  Roger  Hollis  surveillance 

•  Brief:  UK  Government  documentation  into  the  investigation  of  Roger  Hollis,  head  of  MI5  between  1956  and  1965,  including  the  report 
by  Lord  Trend,  into  the  serious  but  apparently  unproven  allegations  of  being  a  Russian  Spy. 

»  Entity:  MI5 

•  Wythenshawe  intelligence  centre 

•  Brief:  Documents  detailing  the  information  stored  and  collected  by  the  Wythenshawe  intelligence  centre.  [2] 

■  Police  surveillance  on  climate  change  protestors 

•  Brief:  A  copy  of  the  police  intelligence  handed  to  E.ON  about  climate  change  protestors.  [3] 

«  Entity:  E.ON 

•  MP  expenses 

•  Brief:  The  full  MP  expenses  data;  how  much  the  Telegraph  paid  for  them. 

•  Entity:  Daily  Telegraph 
»  Entity:  UK  Parliament 

•  Allan  Cappelow  murder 

•  Brief:  Documents  revealing  why  the  trial  of  Wang  Yam,  who  was  convicted  of  killing  Allan  Chappelow,  was  held  in  camera,  the  first 
UK  murder  trial  ever  heard  behind  closed  doors  without  access  by  press  or  publicf41 

•  Nationalisation  of  Northern  Rock  and  Bradford  &  Bringley 

•  Brief:  The  proper  reasons  for  nationalisation  of  Northern  Rock  and  Bradford  &  Bingley,  and  the  subsequent  sale  of  the  latter's  savings 
buisiness  to  Santander. 

•  Brief:  Records  of  events  during  the  twelve  months  leading  up  to  the  nationalisation  of  Bradford  &  Bingley. 

•  Brief:  Information  regarding  the  valuation  process  to  determine  compensation  for  fromer  shareholders  of  Northern  Rock  and  Bradford 
&  Bingley,  that  is,  the  information  the  independent  valuer  uses  to  determine  the  final  value  of  the  comapanies. 

•  Entity:  B&B 

•  Entity:  Northern  Rock 

•  HBOS  takeover 

•  Brief:  Copies  of  government  minutes  of  meetings  between  Gordon  Brown  and/or  Alistair  Darling  and  representatives  of  Lloyds  Bank 
relating  to  the  proposed  takeover  of  HBOS. 

•  Investigation  into  Daveport  Lyons 

•  Brief:  Documents  from  Solicitors  Regulation  Authority's  investigation  into  Davenport  Lyons  threatening  letters  related  to  filesharing. 
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•  Security  Council  and  Darfur 

•  Brief:  Requests  to  the  Security  Council  in  2003  that  the  Security  Council  look  at  what  was  happening  in  Darfur,  and  any  notes  of 
discussions  leading  to  the  decision  not  to  look  at  the  situation. 

•  Date:  2003 

•  Entity:  UN  Security  Council 


United  States 

Important  bulk  databases 

•  Intellipedia 

•  Brief:  Classified  intelligence  community  site  as  of  1 1/1/2008,  including  article  history. 

■  opensource.gov 

•  Brief:  The  complete  CIA  Open  Source  Center  analytical  database.  The  database  is  extensive,  unclassified,  non-public,  but  relatively 
accessible  to  certain  outsiders  after  jumping  through  hoops.  Despite  its  name,  you  need  to  be  government  official  to  gain  access  to  it. 

•  Entity:  oDensource.gov 

•  Pacer  database 

•  Brief:  The  complete  PACER  database.  The  PACER  database  contains  extensive  US  federal  court  records.  They  are  public  documents, 
currently  behind  a  paywall.  See  httD://arstechnica.com/tech-Dolicv/news/2009/Q4/case  against-pacer.ars 

•  Entity:  PACER 

Federal  politics 

•  The  missing  five  million  White  House  emails-possibly  no  longer  in  existence. 

•  Chenney  and  Rumsfeld  Archives 

•  The  White  House  visitor's  list 

•  Minutes  or  notes  for  VP  Cheney's  Energy  Conference. 

•  The  1 141  pages  of  ACTA  background  documents  not  released  to  the  EFF  by  the  US  Trade  Representative  (see  £5]) 

•  A  list  of  all  Whitehouse  and  senior  federal  government  employees  holding  dual  citizenship  and  the  countries  they  represent. 

Military  and  Intelligence 

•  The  SIOP 

•  OPLAN/CONPLAN  8022,  2003  revision. 

•  OPLAN/CONPLAN  8044,  2007  revision. 

•  CIA  detainee  interrogation  videos.  While  the  CIA  claims  to  have  destroyed  92  of  the  videos,  others  are  known  to  remain. 

•  The  US  "Black  Budget",  from  inception  to  present,  with  line  items,  hopefully  annotated  and  explained. 

•  Detainee  abuse  photos  withheld  by  the  Obama  administration. 

•  Wiretapping  program  led  by  NSA 

•  Brief:  Correspondence  between  the  National  Security  Agency  and  American  telecom  companies  such  as  AT&T,  Verizon,  and  Qwest, 
regarding  the  warrantless  wiretapping  program.  Correspondence  involving  telecoms  who  cooperated  with  the  NSA  (e.g.  AT&T)  may 
give  different  information  than  telecoms  who  refused  (e.g.  Qwest),  but  both  types  would  better  shed  light  on  the  NSA's  program.  The 
existence  of  this  correspondence  is  well  documented  in  the  media,  for  example  that  Qwest's  lawyers  refused  to  cooperate  because  the 
FISA  Court  had  not  signed  off  on  it. 

•  Entity:  NSA 

■  Entity:  Qwest 

•  Entity:  AT&T 

•  Entity:  Verizon 

•  Unredacted  copy  of  Dept  of  Justice's  Office  of  Inspector  General's  "A  Review  of  the  FBI' s  Actions  Connection  With  Allegations  Raised  By 
Contract  Linguist  Sibel  Edmonds"  July  1,  2004  (redacted  version  here  http://www.wbez.org/FILES/sibel.pdf) 

•  Camp  Delta  (Guantanamo)  Standard  Operating  Procedure  2005-2009. 

•  Iraq  US  Army  Rules  of  Engagement  2007-2009  (SECRET). 

•  Unredacted  Inquiry  into  the  Treatment  of  Detainees  in  US.  Custody,  20Noy  2008. 

•  Memorandum  between  the  CIA  and  the  Department  of  State  detailing  any  constraints  on  Darfur  policy  caused  by  actual  or  anticipated 
Sudanese  government  cooperation  on  counter-terrorism,  including  CIA  request  to  USUN  that  Salah  Gosh  be  removed  from  the  UN  Panel  of 
Experts  list  of  those  recommended  for  sanction.  See:  http://www.sudantribune.com/artiele.php37id  article^  1 0205 

•  Department  of  State  and  CIA  contributions  to  the  Obama  Administration's  2009  Sudan  Policy  Review,  in  particular  with  respect  to:  a) 

Whether  to  support  the  ICC  arrest  warrant  against  Sudanese  President  Bashir,  b)  whether  to  take  a  confrontational  or  an  appeasement  approach 
to  the  Sudanese  government  on  the  issue  of  Darfur. 

•  Camp  Delta  (Guantanamo)  Standard  Operating  Procedure  2005-2009. 

•  Camp  Delta  (Guantanamo)  Interrogation  Standard  Operating  Procedure  2003-2009. 

•  Correspondence  between  the  National  Security  Agency  and  American  telecom  companies  such  as  AT&T,  Verizon,  and  Qwest,  regarding  the 
warrantless  wiretapping  program.  Correspondence  involving  telecoms  who  cooperated  with  the  NSA  (e.g.  AT&T)  may  give  different 
information  than  telecoms  who  refused  (e.g.  Qwest),  but  both  types  would  better  shed  light  on  the  NSA's  program.  The  existence  of  this 
correspondence  is  well  documented  in  the  media,  for  example  that  Qwest's  lawyers  refused  to  cooperate  because  the  FISA  Court  had  not 
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•  Iraq  and  Aflianistan  US  Army  Rules  of  Engagement  2007-2009  (SECRET). 

•  CIA/DIA/NGA/NSA  analyses  of  the  VRYAN  crisis  of  1983. 

•  Technical  specifications  of  the  KH-1 1  and  follow-on  satellites  with  similar  capabilities. 

•  The  contents  of  the  Football,  and  how  they  changed  over  the  years  during  the  different  Administrations. 

•  What  Pollard  stole  and  gave  to  the  Mossad,  the  full  text. 

•  US  psychological  profiles  and  political  analyses  of  Soviet  leaders. 

•  Documents  relating  to  orbital  weapons  systems,  and  whether  the  US  ever  deployed  them  (or  still  deploy  them)  such  as  orbital  HANE  devices. 

•  Information  about  the  PAN  satellite  and  the  agency  responsible  for  it  http://space flightnow.com/news/n0905/26milspace/ 

•  Commander  Directed  Report  of  Investigation  Concerning  an  Unauthorized  Transfer  of  Nuclear  Warheads  Between  Minot  AFB,  North  Dakota 
and  Barksdale  AFB,  Louisiana  -  30  August  2007  (S//FRD//MR) 

•  Investigation  into  the  Shipment  of  Sensitive  Missile  Components  to  Taiwan  (ADM  Donald  Report)  -  22  May  2008  (S//FRD//NOFORN) 

•  Air  Force  Comprehensive  Assessment  of  Nuclear  Sustainment  (CANS)  -  July  2008  (S//FRD//NOFORN) 

•  General  Order  Number  One  issued  by  commanders  in  Iraq  and  Afghanistan 

•  Reports  about  Colombian  'falsos  positives' 

•  Unredacted  copy  of  Dept  of  Justice's  Office  of  Inspector  General's  "A  Review  of  the  FBI' s  Actions  Connection  With  Allegations  Raised  By 
Contract  Linguist  Sibel  Edmonds"  July  1 , 2004  (redacted  version  here  http://www.wbez.org/FlLES/sibel.pdf) 

•  All  secret  annexes  for,  attachments  to,  unredacted  versions  of,  and  documents  implicitly  or  explicitly  referenced  in  the  following 
documents,  which  may  be  partially  available  in  unclassified  form: 

■  National  Security  Presidential  Directive  51,  "National  Continuity  Policy",  May  9,  2007,  also  known  as  Homeland  Security 
Presidential  Directive  20 

■  Federal  Preparedness  Circular  65,  "Federal  Executive  Branch  Continuity  of  Operations  (COOP)",  July  26,  1999 

■  Federal  Response  Plan  [FEMA  9230.1 -PL],  April  1999 

■  Presidential  Decision  Directive  67,  "Enduring  Constitutional  Government  and  Continuity  of  Government  Operations",  October 
21,1998 

■  Presidential  Decision  Directive  63,  "Critical  Infrastructure  Protection  (C1P)",  May  22,  1998 

■  Presidential  Decision  Directive  62,  "Protection  Against  Unconventional  Threats  to  the  Homeland  and  Americans  Overseas",  May 
22,  1998 

■  FPC65  Federal  Response  Planning  Guidance  01-94,  "Continuity  of  Operations  (COOP)",  December  4,  1994 

■  PDD  67  National  Security  Directive  69,  "Enduring  Constitutional  Government",  June  2,  1992 

■  FPC  65  Federal  Preparedness  Circular  61,  "Emergency  Succession  to  Key  Positions  of  the  Federal  Departments  and  Agencies", 
August  2,  1991 

■  Federal  Preparedness  Circular  62,  "Delegation  of  Authorities  for  Emergency  Situations",  August  I,  1991 

■  Federal  Preparedness  Circular  60,  "Continuity  of  the  Executive  Branch  of  the  Federal  Government  at  the  Headquarters  Level 
During  National  Security  Emergencies",  November  20, 1990 

■  National  Security  Directive  37,  "Enduring  Constitutional  Government",  April  18,  1990 

■  Executive  Order  12656,  "Assignment  of  Emergency  Preparedness  Responsibilities",  November  18,  1988 

■  Executive  Order  12472,  "Assignment  of  National  Security  and  Emergency  Preparedness  Telecommunications  Functions",  April  3. 
1984 

■  NSD69  NSDD  55,  "Enduring  National  Leadership"  September  14,  1982 

■  Executive  Order  12148,  "Federal  Emergency  Management",  July  20,  1979 

•  A  list  of  the  actual  facilities  in  the  Federal  Relocation  Arc,  as  of  the  present  time,  along  with  their  locations. 

■  Blueprints,  maps,  and  floor  plans  of  MWEOC. 

■  Blueprints,  maps,  and  floor  plans  of  Site  R  (Raven  Rock). 

■  Blueprints  and  floor  plans  of  all  unmentioned  facilities  in  the  Federal  Relocation  Arc,  including  historical  ones. 


Banking 

•  The  complete  list  of  identities  of  the  52,000  wealthy  American  clients  suspected  of  hiding  SI  5  billion  at  UBS  to  avoid  taxes,  including  the 
names  of  any  elected  or  appointed  government  or  former  government  officials. 

•  The  complete  details  of  Goldman,  Sachs  &  Co.’s  counterparty  exposure  to  A1G  prior  to  the  Federal  bailout  of  AIG  in  September,  2008. 

Environment 

•  Monsanto's  internal  evaluations  of  GMO  products  including  safety  and  pollen  drift. 

Media 


•  The  Editorial  Guidelines  for  Fox  News 

•  Emails  relating  to  suppressed  GQ  Magazine  article  on  Putin's  rise  by  Scott  Anderson  mentioned  at  161 
Religion 

•  Mormons  Church  records 

•  With  recent  leak  of  1999/2006  Church  Handbook  of  Instructions,  pertinent  documents  and  covertly  photographed  artifacts  in  the  vault  at 
Church  Office  building  or  subsidy  in  Salt  Lake  City,  Utah  which  expose  and  negate  Mormon  Church's  claim  of  divinity  and  its 
monopoly  on  "truth."  l.e.  the  concealed  remnants  of  diaries  and  letters  written  by  former  early  Mormon  apostle  William  McLellin  [71. 
McLellin  diary  and  documents  was  the  main  point  of  interest  for  convicted  double  murderer/bomber  Mark  Hofmann's  planned  forgery 
attempt  to  deceive  Mormon  leaders  to  obtain  in  fraud  by  deception  monetary  reward  to  suppress  truth  of  early  Mormon  history 
unfavorable  to  current  Mormon  religion.  For  more  info,  [81. 
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Documents  of  Mormon  Church's  billion-dollar  investment  in  City  Creek  Mall  and  Condominium  in  SLC,  which  may  put  Mormon 
Church's  IRS  tax-exempt  status  in  jeopardy  if  there  is  verification  of  the  allegation  the  Church  used  tithe  and  offering  monetary 
contributions  by  the  members  to  fiind  the  project  under  the  umbrella  of  tax-exempted  religious  freedom. 

Mormon  Church  leadership's  involvement  in  politics,  such  as  correspondence  to  ecclesiastical  subordinates  (bishopric)  on  policy  and 
attitude  towards  same-sex  civil  rights  &  other  sensitive  issues  relevant  and  concerning  to  the  leaders.  As  well  as  recorded 
correspondences  between  Mormon  members  of  Utah  legislation  and  Church  leaders  on  sensitive  political  issu Italic  lextes  for  legislation 
purposes  which  may  contravene  the  separation  of  church  and  state. 

Uncovered  film  or  audio  recording  featuring  the  play  with  the  actor  portraying  Protestant  minister  encouraged  by  Satan/Lucifer 
(portrayed  by  actor)  to  spread  false  doctrines  to  attack  all  religions  outside  of  Mormon  religion  as  "abominable"  which  was  exhibited  for 
qualified  "temple  recommend"  audiences  in  all  of  the  existing  temples  prior  to  removal  in  1990  (almost  like  leaked  Scientology 
orientation  video)  191. 

Unearthed  secret  audio  or  video  recording  inside  Mormon  temple  with  the  temple  members  swearing  "blood  oath"  before  removal  in 
1990.  HOI 

Documented  Church  leaders'  and  lay  clergy's  cover-up  of  physical/sexual  abuse  and  rape  of  minors  by  missionaries  and  members 
without  reporting  to  law  enforcement  in  some  cases  11 11. 

Older  editions  of  Church  Handbooks  of  Instructions  from  the  first  edition  up  H21  for  comparison  to  recent  leaked  1968  (truncated), 

1999  and  2006  editions. 


Vatican 


*  Vatican  secret  archives 

•  Brief:  The  Index  of  the  Vatican  Secret  Archive.  At  present  pre-screned  scholars  are  allowed  to  see  it  but  not  copy  it  (under  scholar  rule 
*16  http://asv.vatican.va/en/fond/amm.htm) 

*  Vatican's  documents  on  nazi  Germany 

•  Brief:  All  documents  pertaining  to  Nazi  Germany  and  the  Vatican,  as  well  as  those  relating  to  the  post-war  rat  line  to  Argentina.  Refer  to 
http://news.bbc.co.Uk/2/hi/europe/26l  I847.stm 

International  organizations 

*  Bilderberg  Group 

•  Brief:  Bilderberg  Group  meeting  minutes,  papers  and  annual  reports  of  since  1954.  WikiLeaks  has  some  years  already.  Bilderberg  is  an 
annual  off-the  record  conference  of  transatlantic  political,  economic  and  ideological  agenda  setters.  As  an  historically  important 
confidential  document  collection  it  is  probably  only  equaled  by  Cabinet  minutes  and  high  level  intelligence  and  diplomatic  assessments. 
Leads:  There  are  some  older,  previously  unnoticed  records  in  boxes  at  Uni  of  Illinois 
http://www.librarv.illinois.edU/archives/uasfa/l  53505 1  pdf  (1956-1970)  the  George  Bush  library, 
http://bushlibrarv.tamu.edu/research/findine  aids/pdfs/08-0379-F.pdf  and  the  Eisenhower  Library  in  Kansas 
http://www.eisenhower.utexas.edu/Research/Findjng  Aids/PDFs/Jackson  CD  Records.pdf 

•  Entity:  Bilderberg  Group 

*  Alliance  Base 

•  Brief:  Documents  regarding  the  founding  and  operation  of  Alliance  Base. 
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STIPULATION  OF 
EXPECTED  TESTIMONY 

LCDR  Thomas  Hoskins,  USNR 


June  2013 


(U)  It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if 
LCDR  Thomas  Hoskins,  USNR  were  present  to  testify  during  the  merits  and  pre-sentencing 
phases  of  this  court-martial,  he  would  testify  substantially  as  follows. 

1 .  (U)  I  am  a  Lieutenant  Commander  in  the  United  States  Navy  Reserves.  As  a  reservist,  I  am 
currently  assigned  to  United  States  Pacific  Fleet.  In  1997, 1  obtained  a  BS  in  Marine 
Transportation  and  a  BS  in  Environmental  Science  from  the  Massachusetts  Maritime  Academy. 
In  2007, 1  obtained  a  Masters  of  Business  Administration  from  the  Naval  Postgraduate  School. 

2.  (U)  I  entered  active  duty  in  the  United  States  Navy  in  1998  and  left  active  duty  in  2009. 

While  on  active  duty,  I  was  an  F-l  8  pilot.  I  joined  the  United  States  Navy  Reserves  in  2009.  I 
have  logged  over  1700  hours  as  a  pilot,  to  include  approximately  320  hours  of  combat  flight 
time.  I  have  completed  the  requisite  training,  to  include  6  weeks  of  ground  school,  1  year  of 
primary  training  for  preliminary  flight  instruction,  1  year  of  specialty  training  after  I  selected 
intermediate  training,  and  8  months  of  advanced  training  in  weapons,  formation  flying,  and 
carrier  landing.  After  completing  that  training,  I  was  selected  to  fly  F-l  8s  and  received  my 
wings.  Thereafter,  I  completed  one  year  of  F-l  8  training  where  I  received  additional  training  in 
weapons  usage,  high  and  low  level  deployment  of  bombs,  and  carrier  flying.  As  a  pilot,  I  have 
served  as  an  F-l 8  division  combat  lead.  I  have  operated  weapons  while  deployed  in  Afghanistan 
and  conducted  reconnaissance  while  deployed  in  Iraq.  I  have  deployed  three  times  in  2001-02, 
2003-04,  and  2008  in  support  of  OPERATION  ENDURING  FREEDOM  and  OPERATION 
IRAQI  FREEDOM.  I  have  also  served  as  a  flight  instructor  for  three  years. 

3.  (U)  As  a  reservist,  I  currently  work  on  planning,  which  involves  concept  plans,  operations 
plans,  and  execution  orders.  After  leaving  active  duty  in  2009, 1  began  to  work  at  Booz  Allen  as 
a  contractor.  Today,  I  work  as  a  maritime  planner  for  Booz  Allen.  Previously,  I  worked  for 
Booz  Allen  on  matters  related  to  United  States  Northern  Command  (USNORTHCOM)  maritime 
division.  Currently  at  Booz  Allen,  I  work  on  USNORTHCOM  J6  security  cooperation.  In  my 
work  for  the  J6, 1  work  on  security  cooperation  between  the  United  States  and  Mexico. 
Specifically,  I  work  on  command  and  control  of  communications,  computers,  and  information 
(C4I). 


UNITED  STATES  OF  AMERICA  ) 

) 

v.  ) 

) 

Manning,  Bradley  E.  ) 

PFC,  U.S.  Army,  ) 

HHC,  U.S.  Army  Garrison,  ) 

Joint  Base  Myer-Henderson  Hall  ) 

Fort  Myer,  Virginia  22211  ) 


4.  (U)  I  have  worked  with  classified  information  in  my  career  with  Booz  Allen  and  as  an  active 
duty  and  reservist  pilot.  As  a  pilot,  I  worked  with  classified  information  daily  for  flights, 
mission  planning,  mission  briefing,  and  certain  information  about  the  planes.  Previously,  I 
worked  with  classified  information  in  my  work  at  Booz  Allen  in  the  J5  pertaining  to  homeland 
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defense  plans,  and  planning  and  development  of  specific  plans  for  maritime  activities,  to  include 
work  with  the  United  States  Coast  Guard.  I  have  received  an  one  and  one  half  hour  PowerPoint 
training  on  classification  procedures  and  spent  about  an  hour  quarterly  on  training.  I  have 
received  derivative  classification  training.  I  have  also  used  classification  guides  in  my  work;  I 
have  used  the  USNORTHCOM  classification  guide  to  determine  the  classification  status  of 
information.  I  did  not  consider  the  following  when  making  any  determination:  (1)  what,  if  any, 
of  this  material  was  included  in  open  source  reporting  and  (2)  what,  if  any,  of  this  material  was 
available  in  unclassified  publications  (e.g.  Army  Regulations  or  Field  Manuals). 

5.  (U)  In  201 1, 1  was  mobilized  to  United  States  Central  Command  (USCENTCOM).  I  was 
mobilized  to  the  J5  (planning)  office,  Yemen  Branch.  While  in  this  position,  I  worked  on 
country-to-country  action  plans  and  worked  with  the  United  States  Embassy  in  Yemen  and  the 
Yemeni  military  on  plans  and  security  cooperation. 

6.  (U)  While  mobilized  at  USCENTCOM,  1  was  tasked  though  the  Task  Management  Tool  to 
conduct  a  review  for  classified  information.  The  J5  office  plans  through  the  director,  who 
receives  taskers.  The  director  passed  the  tasker  to  me.  I  received  the  submitted  documents  from 
the  USCENTCOM  JAG  office.  My  assignment  required  me  to  determine  whether  the  submitted 
documents  contained  classified  information  at  the  time  they  were  compromised. 

7.  (U)  In  my  capacity  as  the  person  tasked  with  reviewing  the  submitted  documents,  I  reviewed 
the  documents  for  classified  USCENTCOM  J5  equities.  I  reviewed  approximately  40 
documents  pertaining  to  United  States  v.  Private  First  Class  Bradley  Manning,  which  the 
prosecution  provided  to  USCENTCOM.  The  documents  provided  by  prosecution  (submitted 
documents)  included,  among  others,  documents  from  the  Combined  Information  Data  Network 
Exchange  Afghanistan  (CIDNE-A),  and  other  documents  related  to  the  AR  15-6  investigation  of 
the  Farah  incident. 

8.  (U)  When  conducting  the  review,  I  looked  at  USCENTCOM  classification  guides  and 
Executive  Order  13526,  and  its  predecessors.  I  reviewed  each  submitted  document  line  by  line 
for  classified  information  by  applying  the  USCENTCOM  classification  guides.  I  annotated  the 
basis  for  each  classification  decision  in  my  sworn  declaration  dated  21  October  201 1  (BATES 
numbers:  00527378-00527397).  Prosecution  Exhibit  (PE)  for  Identification  is  this 
declaration.  All  documents  noted  in  the  declaration  contained  classification  markings  and  were 
properly  classified  at  least  at  the  SECRET  level  (hereinafter  “reviewed  documents”). 

9.  (U)  Based  on  my  military  experience,  I  had  prior  familiarity  with  the  types  of  documents  and 
information  I  reviewed.  During  my  deployments,  I  worked  with  similar  classified  information 
pertaining  to  mission  planning,  mission  details,  weapons  systems,  and  maps  of  troop  locations. 

10.  (U)  The  reviewed  documents  consisted  of  documents  collected  from  CIDNE-A  and  other 
documents  related  to  the  Farah  investigation.  The  reviewed  documents  contained  military 
information,  to  include  military  plans,  weapons  systems,  or  operations;  significant  activity 
reports  (SIGACT);  operational  code  words  when  identified  with  mission  operations;  SIGACTs 
related  to  fact  of  and  general  type  of  improvised  explosive  device  (IED)  attack  at  specific 
location  on  specific  date,  which  would  have  been  known  by  the  enemy  that  was  the  subject  of 
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that  report;  participating  units ,  and  details  of  movements  of  US  friendly  forces;  concept  of 
operations  (CONOPS),  Operation  Orders  (OPORD),  or  Fragmentary  Orders  (FRAGOs); 
vulnerabilities  or  capabilities  of  systems,  installations,  infrastructures,  projects,  plans,  or 
protection  services  relating  to  national  security;  and  limitations  and  vulnerabilities  of  US  forces 
in  combat  area.  CONOPs  are  properly  classified  as  Confidential  upon  execution  and  can  be 
declassified  one  year  after  completion.  Participating  units,  including  types,  vulnerabilities, 
locations,  quantities,  readiness  status,  deployments,  redeployments,  and  details  of  movement  of 
U.S.  and  friendly  forces  in  operations  can  be  properly  declassified  upon  execution. 

1 1.  (U)  I  reviewed  and  determined  that  21  SIGACTs  from  CIDNE-A  contained  classified 
information  according  to  the  classification  guides  and  my  knowledge  and  experience.  These 
reviewed  SIGACT  reports  from  CIDNE-A  were  all  marked  as  “SECRET.”  The  reviewed 
SIGACTs  from  CIDNE-A  contained  multiple  forms  of  military  information,  to  include 
information  related  to  deploying  quick  response  forces  and  code  words,  reported  the 
effectiveness  of  IED  attacks,  which  would  be  known  to  the  enemy  that  was  the  subject  of  that 
report,  report  the  locations  of  IED  attacks,  which  would  be  known  to  the  enemy  that  was  the 
subject  of  that  report,  identified  IED  tactics,  techniques  and  procedures  (TTPs)  for  responding  to 
IED  attacks,  identified  TTPs  for  identifying  and  neutralizing  IEDs,  friendly  action  reports  of 
finding  and  clearing  caches,  weapons  systems  and  capabilities,  sources  and  methods  of 
intelligence  engagement,  rules  of  engagement,  CONOPS,  descriptions  of  United  States  forces, 
TTPs  for  mission  execution,  anticipated  enemy  reaction,  flexible  deterrent  options,  code  words, 
assistance  by  local  foreign  nationals  in  locating  suspects,  and  details  of  enemy  attacks.  CONOPs 
are  properly  classified  as  Confidential  upon  execution  and  can  be  declassified  one  year  after 
completion.  Participating  units,  including  types,  vulnerabilities,  locations,  quantities,  readiness 
status,  deployments,  redeployments,  and  details  of  movement  of  U.S.  and  friendly  forces  in 
operations  can  be  properly  declassified  upon  execution.  The  21  CIDNE-A  reports  that  contained 
J5  equities  are  located  in  Appellate  Exhibit  (AE)  501  and  have  the  BATES  numbers: 
00377846-00377846  and  00377888-00377910.  These  CIDNE-A  reports  are  contained  within 
PE  8^  for  ID. 

12.  (U)  Additionally,  I  reviewed  the  AR  15-6  investigation  into  a  military  operation  that  occurred 
in  Farah  province,  Afghanistan  on  or  about  4  May  2009.  The  AR  1 5-6  investigation  into  the 
Farah  incident  was  focused  on  investigating  the  circumstances  surrounding  a  large-scale  civilian 
casualties  (CIVCAS)  incident.  The  incident  occurred  in  Gharani,  which  is  a  village  in  Farah 
Province,  Afghanistan.  As  noted  in  PE^fi  for  ID,  I  found  that  13  of  the  Farah  investigation 
documents  contained  classified  information  I  believed  to  be  sensitive  and  classified  because  the 
documents  reveal  TTPs,  troop  movements,  close  air  support,  troops  in  combat  (TIC),  and 
graphics  showing  troop  movements.  The  Farah  investigation  documents  that  contained  J5 
equities  are  located  in  AE  501  and  have  the  BATES  numbers:  00377425-00377480,  00377496, 
00377627,  00377672-00377674,  00378029,  00378066,  00378071,  00378079,  and  00378082. 
These  documents  are  contained  within  PE^for  ID. 

13.  (U)  I  reviewed  PE  M  for  ID,  a  CD  contained  the  video  named  “BE22  PAX.wmv”.  This 
video  (Gharani  video)  is  a  video  depicting  portions  of  a  military  operation  in  Farah  Province, 
Afghanistan,  separately  from  the  review  I  conducted  for  classified  USCENTCOM  J5  equities. 
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14.  (U)  While  on  active  duty  from  2007-09, 1  was  the  strike  operations  officer  responsible  for 
planning,  training,  coordinating  air  wing  and  air-to-ground  operations,  which  involved 
coordinating  with  the  Army  ground  liaison  for  mission  coordination  of  ground  targets.  In  this 
capacity,  I  reviewed  video  recordings  of  combat  missions.  The  videos  captured  flight  operations 
using  forward  looking  infrared  radar  (FLIR).  1  reviewed  the  videos  to  ensure  the  mission 
achieved  its  goal,  hit  the  target,  or  reviewed  the  information  captured  in  a  reconnaissance 
capacity.  I  reviewed  hundreds  of  these  videos  for  validation.  The  Gharani  video  is  similar  to  the 
hundreds  of  videos  I  reviewed  as  a  strike  operations  officer. 

15.  (U)  I  reviewed  the  Gharani  video  for  sensitive  military  information.  I  relied  on  my 
experience  while  conducting  my  review  for  sensitive  and  classified  information  of  the  Gharani 
video.  In  particular,  I  relied  on  my  training  and  schooling,  experience  as  a  flight  instructor, 
experience  with  operating  FLIR  systems,  and  experience  reviewing  videos  that  record  imagery 
as  presented  in  the  FLIR  system. 


17.  (U)  After  my  review  of  the  above  referenced  documents  for  USCENTCOM  J5  equities,  I 
forwarded  my  conclusions  and  recommendations  to  Deputy  Commander,  USCENTCOM  a 
Original  Classification  Authority  for  his  final  determination  as  to  whether  the  information  is 
properly  classified. 


ALEXANDER  VON  ELTEN 
CPT,  JA 

Assistant  Trial  Counsel 


THOMAS  F.  HURLEY 
MAJ,  JA 

Military  Defense  Counsel 


BRADLEY  E.  MANNING 

PFC,  USA 

Accused 
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UNITED  STATES  OF  AMERICA  ) 

)  STIPULATION  OF 

v.  )  EXPECTED  TESTIMONY 

) 

Manning,  Bradley  E.  )  Lt  Col  (Retired)  Martin  Nehring 

PFC,  U.S.  Army,  ) 

HHC,  U.S.  Army  Garrison,  ) 

Joint  Base  Myer-Henderson  Hall  )  J.®  June  2013 

Fort  Myer,  Virginia  22211  ) 

It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Lt  Col 
(Retired)  Martin  Nehring  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of 
this  court-martial,  he  would  testify  substantially  as  follows. 

1 .  I  am  a  retired  Lieutenant  Colonel  in  the  United  States  Air  Force.  I  have  a  BS  in  Petroleum 
Engineering  from  New  Mexico  Institute  of  Mining  and  Technology  in  1982.  I  received  a 
Masters  of  Public  Administration  from  Troy  University  in  1995.  I  began  serving  on  active  duty 
in  the  United  States  Air  Force  in  1985  as  a  second  lieutenant.  During  my  career,  I  spent  12  years 
on  active  duty  and  16  years  in  the  California  Air  National  Guard.  I  retired  in  2012.  I  deployed 
to  Kuwait  in  2001  with  the  Third  Army.  I  also  deployed  to  Kosovo  in  2002  for  weather 
operations.  In  2006, 1  deployed  to  Afghanistan  and  ran  all  weather  operations  in  Afghanistan. 
Throughout  my  career  in  the  Air  Force  as  a  trained  meteorologist,  I  possessed  a  TOP  SECRET 
clearance  and  handled  TOP  SECRET  information.  I  handled  classified  information  at  the 
beginning  of  my  service  in  1985  and  had  training  in  how  to  handle  and  identify  classified 
information.  I  worked  with  classified  information  at  all  times  during  my  military  career. 

2.  From  2009  to  February  2012, 1  worked  at  United  States  Central  Command  (USCENTCOM). 

I  worked  in  a  Sensitive  Compartmented  Information  Facility  (SCIF)  at  USCENTCOM.  Initially, 

I  worked  at  the  weather  desk.  After  USCENTCOM  discontinued  the  weather  desk,  I  was 
reassigned  under  the  USCENTCOM  Directorate  of  Operations  (J3)  as  the  J3  subject  matter 
expert  (SME)  for  identifying  J3  classified  equities  within  United  States  Government  official 
documentation.  In  this  capacity,  I  was  primarily  responsible  for  reviewing  documents  being 
processed  under  the  Freedom  of  Information  Act  (FOIA)  which  belonged  to  or  contained 
information  from  USCENTCOM  J3.  For  FOIA  requests,  I  reviewed  the  requested  information 
for  classified  information  to  determine  whether  the  document  could  be  released  under  the  FOIA. 
Additionally,  I  conducted  review  for  release  of  information  to  family  members  of  Service 
Members  who  were  killed,  wounded,  or  kidnapped  within  the  USCENTCOM  theaters  of 
operations  and  the  media.  I  also  conducted  separate  reviews  for  coalition  partners  because  the 
standards  were  different  for  each.  Family  members  and  the  media  could  only  receive 
unclassified  information.  Coalition  partners  could  receive  certain  classified  information. 

Classified  information  in  a  document  could  not  be  released  under  the  FOIA  even  if  the  remainder 
of  the  document  contained  publicly  available  information  because  the  information  is  still 
protected. 

3.  In  my  capacity  as  the  J3  SME,  I  reviewed  documents  pertaining  to  United  States  v.  Private 
First  Class  Bradley  Manning,  which  the  prosecution  provided  to  USCENTCOM.  The  documents 
provided  by  the  prosecution  (submitted  documents)  included,  among  others,  documents  from  the 
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Combined  Information  Data  Network  Exchange  Iraq  (CIDNE-I),  the  Combined  Information 
Data  Network  Exchange  Afghanistan  (CIDNE-A),  other  documents  related  to  the  AR  15-6 
investigation  of  the  Farah  incident,  and  a  file  named  “BE22  PAX.zip”  containing  a  video  named 
“BE22  PAX.wmv”  (Gharani  video). 

4.  I  was  tasked  though  the  J3  Task  Management  Tool.  I  received  the  submitted  documents  from 
the  USCENTCOM  JAG  office.  My  assignment  required  me  to  determine  whether  the  submitted 
documents  contained  classified  information  at  the  time  they  were  compromised.  I  reviewed  the 
documents  for  classified  USCENTCOM  J3  equities. 

5.  To  determine  whether  submitted  documents  were  classified  at  the  time  of  compromise,  I  used 
three  classification  guides.  I  used  a  USCENTCOM  classification  guide  dated  before 
OPERATION  IRAQI  FREEDOM,  the  updated  version  of  that  USCENTCOM  classification 
guide  dated  during  OPERATION  IRAQI  FREEDOM,  and  the  version  of  the  USCENTCOM 
classification  guide  that  was  current  at  the  time  I  conducted  the  classification  review.  I  did  not 
consider  the  following  in  making  any  determination:  (1)  what,  if  any,  of  this  material  was 
included  in  open  source  reporting,  (2)  what,  if  any,  of  this  material  was  available  in  unclassified 
publications  (e.g.  Army  Regulations  or  Field  Manuals),  and  (3)  what,  if  any,  of  this  material  may 
have  been  shared  at  the  tactical  level  during  the  key  leader  engagements  described  below. 

6.  I  applied  a  process-oriented  approach  toward  applying  the  classification  guide  to  each  of  the 
submitted  documents.  First,  I  would  determine  the  date  of  the  document  and  use  the 
classification  guide  appropriate  for  each  document’s  date.  I  would  determine  the  document’s 
classification  at  the  time  the  document  was  created.  Documents  I  determined  that  were 
unclassified  were  removed  from  the  collection  of  submitted  documents.  In  fact,  I  approached  the 
documents  with  a  “FOIA  mindset”  and  tried  to  ensure  each  document  was  not  actually  classified. 
I  did  not  presume  any  document  was  classified  and  reviewed  each  line  in  each  document  for 
classified  information. 

7.  Second,  I  reviewed  the  document  to  determine  if  it  was  classified  at  the  time  of  it  was 
compromised  according  to  the  appropriate  security  classification  guides.  I  reviewed  documents 
for  USCENTCOM  J3  equities.  Documents  containing  intelligence  were  sent  to  Mr.  Louis 
Travieso  for  further  review  for  USCENTCOM  J2  equities.  I  conducted  a  line  by  line  review  and 
reviewed  each  document  for  USCENTCOM  J3  equities  by  applying  specific  paragraphs  of  the 
classification  guide(s)  from  the  appropriate  time  period.  Where  the  reviewed  document 
contained  USCENTCOM  J3  equities  as  determined  by  the  appropriate  USCENTCOM 
classification  guide,  I  marked  the  document  as  containing  information  I  believed  to  be  sensitive 
and  classified.  I  annotated  the  basis  for  each  classification  decision  in  my  sworn  declaration 
dated  19  October  2011,  which  is  BATES  numbers:  00527370-00527377.  Prosecution  Exhibit 
(PE)$k  for  Identification  is  my  declaration.  All  documents  noted  in  the  declaration  contained 
classification  markings  at  the  SECRET  level  (hereinafter  “J3  reviewed  documents”). 

8.  The  J3  reviewed  documents  consisted  of  documents  collected  from  CIDNE-I,  CIDNE-A, 
other  documents  related  to  the  Farah  investigation,  and  the  Gharani  video.  The  reviewed 
documents  contained  military  information,  to  include  military  plans,  weapons  systems,  or 
operations;  foreign  government  information;  significant  activity  reports  (SIGACTs);  operational 
code  words  when  identified  with  mission  operations;  SIGACTs  related  to  fact  of  and  general 
type  of  IED  attack  at  specific  location  on  specific  date;  participating  units,  including  types  of 
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vulnerabilities,  locations,  quantities,  readiness  status,  deployments,  redeployments,  and  details  of 
movements  of  US  friendly  forces;  concept  of  operations  (CONOPS),  operation  orders  (OPORD), 
or  fragmentary  orders  (FRAGOs);  vulnerabilities  or  capabilities  of  systems,  installations, 
infrastructures,  projects,  plans,  or  protection  services  relating  to  national  security;  and  limitations 
and  vulnerabilities  of  US  forces  in  combat  area. 

9.  CIDNE-I  and  CIDNE-A  contained  SIGACT  reports.  The  SIGACTs  were  marked  as 
SECRET.  Within  the  SIGACTs,  several  categories  appeared  multiple  times.  These  categories 
include  key  leader  engagements,  mission  report  logs,  reports  on  improvised  explosive  devices 
(IEDs)  and  tactics,  techniques,  and  procedures  (TTPs)  in  response  to  IEDs,  and  reports  and 
responses  for  missions  focused  on  duty  status  -  whereabouts  unknown  (DUSTWUN). 

10.  Key  leader  engagements  described  interactions  of  members  of  the  military  with  local  leaders 
in  Iraq  and  Afghanistan  regarding  a  broad  range  of  topics.  Disclosure  of  the  key  leader 
engagements  would  reveal  foreign  government  activities,  the  involvement  of  Servicemembers 
with  local  foreign  leaders,  and  the  identities  of  local  leaders. 

1 1 .  Mission  report  logs  described  troop  movements,  activities,  and  engagements  with  hostile 
forces.  The  mission  report  logs  describe  tactics,  troop  locations,  weapons  and  military 
equipment  used. 

12.  IED  reports  detailed  the  casualties  inflicted  on  Servicemembers,  the  locations  of  the  attacks, 
and  TTPs  for  detecting  and  responding  to  IED  attacks.  The  IED  reports  recount  the  attacks  of 
hostile  forces,  troop  locations,  and  the  capabilities  of  United  States  forces. 

13.  DUSTWUN  reports  stated  the  names  and  other  personal  information  of  kidnapped 
Servicemembers  and  the  TTPs  in  response  to  locate  the  kidnapped  Servicemember.  The 
DUSTWUN  reports  state  troop  locations,  tactics,  encounters  by  military  forces  with  hostile 
forces  and  foreign  nationals. 

14.  The  53  CIDNE-I  reports  that  contained  J3  equities  are  located  in  Appellate  Exhibit  (AE) 
501  and  that  have  the  BATES  numbers:  00377912-00377918,  00377921-0377933, 00377935- 
00337938,  00377940-00377949,  00377952-00377958,  00377960-00377963,  00377965- 
00377980,  00377983-00377986,  00377988-00378013,  and  00378016-00378026.  These  CIDNE- 
I  reports  are  contained  within  PE  for  ID.  The  36  CIDNE-A  reports  that  contained  J3  equities 
are  located  in  AE  501  and  that  have  the  BATES  numbers:  00377846-00377846,  00377849- 
00377856,  00377860-00377871,  00377874-00377883,  00377886-00377905,  and  00377907- 
00377910.  These  CIDNE-A  reports  are  contained  within  PE  ^  for  ID. 

15.  The  J3  reviewed  documents  contain  SIGACT  reports  from  CIDNE-I  that  I  determined 
contained  classified  information  according  to  the  applicable  security  classification  guides.  These 
SIGACT  reports  from  CIDNE-I  were  all  marked  “SECRET.”  Additionally,  the  J3  reviewed 
documents  contain  SIGACT  reports  from  CIDNE-A  that  I  determined  contained  classified 
information  according  to  the  applicable  security  classification  guides.  These  SIGACT  reports 
from  CIDNE-I  and  CIDNE-A  were  all  marked  “SECRET.”  The  J3  reviewed  documents  within 
PE^for  ID  and  PE  ^5  for  ID  contain  multiple  forms  of  military  information,  to  include  but  not 
limited  to  the  following:  (1)  threat  of  attack  in  an  area  by  a  specific  group;  (2)  confirmed  that  a 
previously  reliable  source  of  intelligence  provided  information;  (3)  involved  direct  and  indirect 
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fire  reports;  (4)  reported  casualties;  (5)  reported  loss  of  equipment;  (6)  stated  types  of  weapons 
encountered  in  an  enemy  engagement;  (7)  reported  the  effectiveness  of  IED  attacks;  (8)  reported 
the  locations  of  IED  attacks;  (9)  identified  IED  TTPs  for  responding  to  IED  attacks;  (10) 
identified  TTPs  for  identifying  and  neutralizing  IEDs;  (1 1)  identified  by  name  suspects  in 
investigations;  (12)  identified  quick  response  force  mobilization  TTPs;  (13)  identified  code 
words;  (14)  involved  friendly  action  reports;  (15)  stated  details  of  military  missions;  (16)  named 
multiple  enemy  groups;  (17)  reported  lack  of  casualties;  (18)  reported  lack  of  loss  of  equipment; 
(19)  identified  general  enemy  TTPs;  (20)  involved  an  enemy  small  arms  fire  report;  (21) 
identified  enemy  target  by  name;  (22)  stated  effectiveness  of  enemy  actions;  (23)  described  a 
military  raid;  (24)  identified  sources  and  methods  of  intelligence  collection;  (25)  identified 
responses  based  on  intelligence  gathered;  (26)  detailed  arrest  of  a  suspect;  (27)  stated  detention 
of  a  suspect  would  have  a  significant  impact  on  military  operations;  (28)  described  friendly 
action  of  finding  and  clearing  caches;  (29)  involved  a  border  operations  report;  (30)  described  a 
civil  disturbance;  (31)  identified  unit  locations;  (32)  reported  enemy  casualties;  (33)  stated 
planned  unit  movement;  (34)  stated  details  of  combat  patrols;  (35)  described  key  leader 
engagement;  (36)  assessed  effectiveness  of  local  outreach  programs;  (37)  detailed  kidnapping  of 
a  Servicemember;  and  (38)  described  initiation  of  DUSTWUN  procedures. 

16.  Additionally,  I  reviewed  documents  from  the  AR  15-6  investigation  into  a  military  operation 
that  occurred  in  Farah  province,  Afghanistan  on  or  about  4  May  2009.  The  AR  15-6 
Investigation  into  the  Farah  incident  was  focused  on  investigating  the  circumstances  surrounding 
a  large-scale  civilian  casualties  (CIVCAS)  incident.  The  incident  occurred  in  Gharani,  which  is 
a  village  in  Farah  Province,  Afghanistan.  The  documents  from  the  AR  15-6  investigation  that 
contained  J3  equities  are  located  in  AE  501  and  that  have  the  BATES  numbers:  00377425- 
00377492,  00377496-00377498,  00377627-00377637,  00377674-00377675,  and  00378029- 
0037808 1 .  These  documents  are  contained  within  PE  for  ID.  As  noted  in  PE  ^0  for  ID  I 
found  that  these  documents  contained  information  I  believed  to  be  sensitive  classified  because 
they  reveal  operational  activities,  weapons  systems,  and  code  words. 

17.  As  part  of  my  review  of  the  Farah  documents,  I  reviewed  a  file  named  “BE22  PAX.zip” 
containing  a  video  named  “BE22  PAX.wmv”  (hereinafter  "Gharani  video").  PE  [ for  ID  is  a 
CD  that  contains  both  files  I  reviewed.  The  Gharani  video  depicts  portions  of  a  military 
operation  in  the  Farah  Province,  Afghanistan.  The  Gharani  video  reveals  operational  code  words 
associated  with  the  mission.  The  video  also  reveals  operational  activities  including  troop 
movements  and  weapons  systems.  Finally,  the  video  includes  specific  information  contained  on 
the  heads-up  display. 

18.  After  my  review  of  the  above  referenced  documents  for  USCENTCOM  J3  equities,  I 
forwarded  my  conclusions  and  recommendations  to  Deputy  Commander,  USCENTCOM  an 
Original  Classification  Authority  for  his  final  determination  as  to  whether  the  information  is 
properly  classified. 


ALEXANDER  VON  ELTEN 
CPT,  JA 

Assistant  Trial  Counsel 


MAJ,  JA 

Military  Defense  Counsel 


PFC,  USA 
Accused 
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UNITED  STATES  OF  AMERICA 


) 

) 

) 

) 

) 

) 

) 

) 

) 


v. 


STIPULATION  OF 
EXPECTED  TESTIMONY 


Manning,  Bradley  E. 

PFC,  U.S.  Army, 

HHC,  U.S.  Army  Garrison, 

Joint  Base  Myer-Henderson  Hall 
Fort  Myer,  Virginia  22211 


Ms.  Debra  Van  Alstyne 


i^June  2013 


It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Ms. 

Debra  Van  Alstyne  were  present  to  testify  during  the  merits  phase  of  this  court-martial,  she 
would  testify  substantially  as  follows: 

1.  I  am  the  Aunt  of  PFC  Bradley  E.  Manning.  Brad  came  to  live  with  my  family  in  the  summer 
of  2006.  Brad  uses  my  home  as  his  home  of  record  and  spends  his  leave  and  holidays  with  us. 
When  Brad  came  back  from  Iraq  for  his  mid-tour  leave  in  January  of  2010,  he  stayed  with  us  at 
my  house.  Brad  came  home  on  Sunday,  the  24th  of  January.  On  the  night  of  the  25th  of  January 
he  went  to  Boston  to  visit  his  friends.  Brad  returned  from  Boston  on  Monday,  the  1  st  of 
February  and  came  back  to  stay  with  us  for  the  remainder  of  his  time.  When  Brad  returned,  we 
got  hit  with  a  big  snow  storm  on  Friday  night,  the  5th  of  February,  so  we  ended  up  not  doing 
very  much  other  than  playing  board  games.  After  the  snow  storm,  we  were  without  power  until 
Sunday,  the  7th  of  February.  I  recall  Brad  leaving  during  this  time  by  walking  out  to  the  main 
road  and  telling  me  that  a  friend  was  going  to  pick  him  up.  I  do  not  know  where  he  went,  as  it 
was  not  my  usual  practice  to  ask  him  where  he  was  going.  Brad  left  for  Iraq  on  the  morning  of 
the  9th  of  February. 

2.  On  November  2nd,  2010,  Special  Agent  (SA)  Mark  Mander  searched  my  house  in  connection 
with  this  case.  I  willingly  consented  to  this  search.  Prior  to  the  search,  I  identified  items 
belonging  to  Brad  and  allowed  SA  Mander  to  search  Brad’s  room  in  the  basement.  I  also 
identified  Brad’s  possessions  and  several  boxes  that  contained  Brad’s  possessions.  These  boxes 
and  the  surrounding  area  only  contained  Brad’s  possessions.  One  of  the  boxes  was  a  box  that 
Brad  had  sent  to  me  in  April  of  2010  from  Iraq.  The  box  contained  two  soft  cover  books,  two 
Maryland  T-shirts  and  one  FOB  Hammer  Iraq  T-shirt.  After  SA  Mander  finished  his  search,  he 
set  aside  a  number  of  items  on  Brad’s  bed  and  asked  me  whether  any  of  the  items  belonged  to 
me  or  anyone  else,  and  not  Brad.  I  identified  all  the  items  as  belonging  to  Brad.  I  am  familiar 
with  the  items  that  were  collected  by  SA  Mander.  He  collected  several  of  Brad’s  personal  items 
like  books,  packages,  and  digital  media. 

3.  SA  Mander,  SA  John  Wilbur,  SA  Ronald  Rock,  and  SA  Ezio  Veloso  came  to  interview  me  on 
June  18th,  2010.  The  agents  asked  me  several  questions.  One  of  the  agents  asked  me  about 
how  Brad  felt  about  the  Army.  Based  upon  our  discussions,  I  knew  that  Brad  was  proud  of  his 
job  and  of  being  in  the  Army.  However,  Brad  seemed  to  be  very  quiet  when  he  returned  from 
Iraq  for  his  mid-tour  leave.  He  also  seemed  depressed  to  me.  The  agents  also  asked  me  about 
the  various  email  accounts  that  I  had  used  over  the  vears  and  that  Brad  had  used  over  the  vears 
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and  his  Facebook  account.  I  am  familiar  with  Brad’s  email  accounts.  The  account  names  that 
Brad  used  in  communications  with  me  are  “bradley.e.manning@gmail.com”  and 
“brad405@earthlink.net”.  I  also  told  the  agents  the  five  different  email  addresses  that  I  had  used 
with  Brad  over  the  years.  Most  of  those  email  addresses  were  either  Gmail  or  EarthLink 
addresses.  I  am  also  familiar  with  Brad’s  Facebook  account,  as  I  followed  Brad  on  Facebook 
and  also  posted  a  message  to  his  Facebook  page  on  his  request  after  his  arrest.  Brad  called  me 
from  Kuwait  after  his  arrest.  During  our  conversation,  he  asked  me  if  I  had  seen  the  apache 
helicopter  video.  When  I  said  that  I  had  not.  Brad  asked  me  to  do  a  search  for  “Collateral 
Murder.”  Brad  believed  the  video  was  going  to  be  “big  news”  and  that  it  would  make  a  “big 
splash”  in  America.  As  part  of  this  conversation,  Brad  asked  me  to  post  a  message  to  his 
Facebook  account  to  let  others  know  that  he  was  alive  and  why  he  was  arrested.  I  posted  the 
following  message  for  Brad:  “Some  of  you  may  have  heard  that  I  have  been  arrested  for 
disclosure  of  classified  information  to  unauthorized  persons  See  http://collateralmurder.com/.” 

4.  I  recognize  the  picture  marked  as  Prosecution  Exhibit  (PE)  40  for  Identification.  PE  40 
for  ID  is  a  picture  of  Brad  in  his  room  of  taken  while  he  was  on  his  mid-tour  leave.  I  know  this 
because  the  picture  captures  how  Brad  and  his  room  looked  around  that  time  period. 


ASHDEN  FEIN 
MAJ,  JA 
Trial  Counsel 
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ATTESTATION  CERTIFICATE 


This  document  is  intended  to  meet  the  requirements  set  forth  in  Military  Rules  of  Evidence  Rule 
902(11),  addressing  certified  records  of  regularly  conducted  activity. 


I  swear  or  affirm  that  each  of  the  following  is  true  regarding  the  attached  records,  to  the  best  of 
my  knowledge  and  belief: 

1 .  lam  the  custodian  of  these  records,  or  I  am  an  employee  familiar  with  the  manner  and 
process  in  which  these  records  are  created  and  maintained,  by  virtue  of  my  duties  and 
responsibilities; 

2.  The  records  were  made  at  or  near  the  time  of  the  occurrences  of  the  matters  set  forth  by 
or  from  Information  transmitted  by,  people  with  knowledge  of  these  matters; 

3.  The  records  were  kept  in  the  course  of  regularly  conducted  business  activity; 

4.  It  was  the  regular  practice  of  the  business  activity  to  make  the  records;  and 

5.  The  records  are  a  true,  accurate,  and  complete  copy  of  the  original  documents. 


List  of  attached  records: 

Army  Training  and  certification  screenshot.pdf  (1  Page) 
Army  Training  and  certification  screenshot1.pdf  (1  Page) 


Organization 

\/\/}llc0  Tec/iAoloj/'es  ~X/\C . 

Signature  v  > 

Date 

?lrh,  2.C-/2 

Print  oCType  Name 

0ovo\ 

Title 

XT 

Busings  Telephone 

Business  Address 

816- W Z-626Z  *  ISg 


72.  9  Wj/fj-  s-f-  kc j  sho 


Subscribed  and  sworn  to  before  a  notary  public,  this  day 


of 


3  h'. 


Notary  Public 

(  jT\>hL  (jL  vAai  JLci 


My  commission  expires  on: 


£4/06 
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UNITED  STATES  OF  AMERICA 
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v. 


STIPULATION  OF 
EXPECTED  TESTIMONY 


Manning,  Bradley  E. 

PFC,  U.S.  Army, 

HHC,  U.S.  Army  Garrison, 

Joint  Base  Myer-Henderson  Hall 
Fort  Myer,  Virginia  22211 


Mr.  Wyatt  Bora 


June  2013 


It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Mr. 

Wyatt  Bora  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this  court- 
martial,  he  would  testify  substantially  as  follows. 

1 .  I  am  a  retired  Captain  in  the  United  States  Air  Force.  I  served  on  active  duty  from  1987  to 
2008.  I  have  a  BS  in  Computer  Engineering  from  the  University  of  New  Hampshire  in  1999.  I 
have  a  Masters  in  Computer  Engineering  from  Rensselaer  Polytechnic  Institute  in  2004.  In  the 
Air  Force,  I  primarily  worked  as  a  computer  engineer  and  a  manager  of  other  computer 
engineers.  I  also  wrote  computer  code  and  created  technical  software  solutions.  I  created 
interactive  lab  displays  with  speech  control.  I  managed  air  operations  system  tests  and 
development  for  command  and  control  of  the  Air  Operations  Center.  I  also  worked  as  a  systems 
engineer  on  large  information  technology  (IT)  systems  designed  to  manage  financial 
transactions.  As  a  systems  engineer,  I  planned  IT  system  architecture  to  ensure  the  system 
worked  together,  managed  requirements  and  costs,  and  scheduled  performance  tests. 

2.  After  retiring  from  active  duty  in  2008, 1  began  working  at  the  Air  Force  Research  Lab  in 
Rome,  New  York,  as  a  civilian  working  on  acquisition  of  command  and  control  IT.  At  the  Air 
Force  Research  Lab,  I  managed  other  IT  programs  with  a  focus  on  command  and  control 
applications  at  the  operational  level. 

3.  In  January  2012, 1  became  the  Program  Manager  (PM)  for  the  Combined  Information 
Database  Network  Exchange  (CIDNE)  program.  As  the  PM  for  CIDNE,  I  am  responsible  for  the 
day-to-day  management  of  the  entire  program.  I  am  responsible  for  finances,  to  include 
projecting  budgetary  requirements  and  meeting  the  program’s  budget.  I  am  also  responsible  for 
ensuring  that  customer  needs  are  met.  Customers  submit  change  requests  that  request  the 
addition  of  a  function  or  a  change  to  current  functionality.  I  make  sure  customer  functionality 
needs  are  met.  Customers  also  submit  problem  reports  that  note  bugs  and  flaws  in  the  system.  I 
make  sure  that  these  bugs  and  flaws  are  corrected. 

4.  CIDNE  is  a  reporting  and  querying  system.  CIDNE  links  operations  information  with 
intelligence  information  and  breaks  the  traditional  stovepipe  separating  the  two  types  of 
information.  In  particular,  the  system  linking  intelligence  and  operations  systems  breaks  down 
stovepipes  between  the  2  (intelligence),  3  (operations),  and  5  (planning)  shops.  This  linkage  of 
operations  information  and  intelligence  information  has  been  designed  to  provide  commanders 
with  fuller,  more  accurate  information  on  which  to  base  command  decisions,  particularly  in  the 


field. 
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5.  CIDNE  is  a  direct  reporting  system  for  the  United  States  Central  Command  (USCENTCOM) 
and  is  used  by  USCENTCOM  and  its  subordinate  commands.  In  September  2007, 
USCENTCOM  issued  FRAGO  09-1290  to  direct  all  units  to  use  CIDNE  for  report  creation.  As 
a  reporting  system,  CIDNE  allows  users  to  enter  information  into  a  report.  There  are 
approximately  130  types  of  CIDNE  reports.  Some  of  the  130  types  of  CIDNE  reports  are 
Human  Intelligence  (HUMINT)  reports.  Human  Terrain  reports,  Counter  IED  (C-IED)  reports. 
Targeting  reports,  Socio-Cultural  reports,  Civil  Affairs  reports,  Psychological  Operations 
(PSYOP)  reports,  and  Significant  Activity  (SIGACT)  reports.  One  of  the  reports  frequently 
used  by  Servicemembers  in  the  field  is  the  SIGACT  reports.  A  SIGACT  is  a  report  created  by 
a  Servicemember  at  the  completion  of  a  mission.  The  SIGACT  is  input  into  CIDNE  for  use  by 
the  unit  that  completed  the  mission  and  any  other  unit  with  authorized  access  to  CIDNE.  Of  the 
approximately  130  types  of  reports,  the  SIGACT  is  the  most  commonly  used  report  on  CIDNE. 
SIGACTs  constitute  approximately  24%  of  all  reports  created,  depending  on  the  reporting 
period. 

6.  For  SIGACTs  and  other  reports,  CIDNE  requires  completeness.  CIDNE  has  automatic 
quality  assurance  built  into  the  database,  and  a  user  cannot  complete  a  report  without  entering 
information  into  specified  fields.  Additionally,  CIDNE  has  manual  quality  control  because  most 
reports  are  reviewed  for  completeness  by  people  engaged  in  quality  assurance.  The  quality 
control  mechanisms  ensure  that  the  reports  contain  sufficient  information  for  future  use. 
Furthermore,  CIDNE  reports  are  marked  according  to  their  classification,  including  unclassified, 
confidential,  and  secret. 

7.  CIDNE  is  also  a  querying  system  because  authorized  users  can  search  the  database  for 
previous  reports.  A  user  can  search  by  keywords,  to  include  terms  and  topics,  dates,  and 
locations.  This  querying  system  allows  users  to  see  and  use  any  report  in  the  CIDNE  system. 
CIDNE  uses  database  administrators.  In  2009-10,  these  administrators  were  on-site,  which 
means  they  must  be  present  at  the  physical  location  of  servers,  to  include  Iraq,  Afghanistan,  and 
Tampa,  Florida.  CIDNE  is  a  complex  system  with  millions  of  line  of  programming  code  due  to 
the  volume  of  data.  In  particular,  creating  the  structure  to  make  the  data  retrievable  (searchable) 
requires  significant  resources.  The  program  has  continually  employed  approximately  20-30  or 
more  programmers  to  develop,  maintain,  and  debug  the  code  for  CIDNE  so  that  the  database 
may  maintain  all  the  different  reports,  including  SIGACTS  for  use  on  classified  networks.  In 
2007,  the  program  spent  approximately  $900,000  on  data  management  in  Iraq.  In  2008,  the 
program  spent  approximately  $1,000,000  on  data  management  in  Iraq.  In  2009,  the  program 
spent  approximately  $4,200,000  on  data  management  in  Afghanistan  and  $1,800,000  on  data 
management  in  Iraq.  In  2010,  the  program  spent  approximately  $3,600,000  on  data  management 
in  Afghanistan.  In  201 1,  the  program  spent  approximately  $3,000,000  on  data  management  in 
Afghanistan  and  $570,0000on  data  management  in  Iraq.  In  2012,  the  program  spent 
approximately  $5,000,000  on  data  management  in  Afghanistan.  These  data  management  costs 
are  directly  associated  with  keeping  the  data  useable  on  the  classified  networks.  I  do  not  know 
the  data  management  costs  for  Iraq  for  2005,  2006,  2010,  and  2012,  and  I  do  not  know  the  data 
management  costs  for  Afghanistan  for  2005. 

8.  CIDNE  has  undergone  constant  development  in  its  existence  to  improve  its  functionality. 
CIDNE  is  currently  being  developed  to  save  costs  by  changing  its  configuration  to  permit 
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changes  to  reports  without  a  developer’s  intervention  at  the  physical  location  of  the  user. 
Responses  to  change  requests  require  new  code  to  be  added.  Depending  on  the  nature  of  the 
change  request,  which  range  from  adding  a  new  field  to  an  existing  report  to  creating  an  entirely 
new  report,  coding  development  can  take  anywhere  from  5  to  several  hundred  hours.  These 
developments  require  research  and  incur  significant  costs.  In  2005,  the  program  spent 
approximately  $1,100,000  for  development  and  testing  in  Iraq  and  $1,800,000  in  development 
and  testing  in  the  Continental  United  States  (CONUS).  In  2006,  the  program  spent 
approximately  $1,770,000  for  development  and  testing  in  Iraq  and  $790,000  in  development  and 
testing  in  CONUS.  In  2007,  the  program  spent  approximately  $1,320,000  for  development  and 
testing  in  Iraq  and  $1,810,000  in  development  and  testing  in  CONUS.  In  2008,  the  program 
spent  approximately  $950,000  for  development  and  testing  in  Afghanistan,  $2,690,000  for 
development  and  testing  in  Iraq,  and  $3,610,000  in  development  and  testing  in  CONUS.  In 
2009,  the  program  spent  approximately  $2,760,000  for  development  and  testing  in  Afghanistan, 
$3,280,000  for  development  and  testing  in  Iraq,  and  $5,500,000  in  development  and  testing  in 
CONUS.  In  2010,  the  program  spent  approximately  $4,200,000  for  development  and  testing  in 
Afghanistan,  $2,650,000  for  development  and  testing  in  Iraq,  and  $4,980,000  in  development 
and  testing  in  CONUS. 

9.  To  gain  access  to  CIDNE,  a  user  first  needs  to  be  authorized  to  access  an  IT  system.  Second, 
a  user  needs  to  be  authorized  to  use  a  network  domain  authorized  to  host  CIDNE.  CIDNE  and 
SIGACTs  within  CIDNE  are  only  available  on  classified  networks.  All  classified  domains  on 
which  CIDNE  exists  require  a  security  clearance  to  access.  Finally,  a  user  must  be  authorized  to 
access  the  database.  A  user  can  obtain  access  only  if  he  has  a  security  clearance  and  a  need  to 
know  the  information  accessible  on  CIDNE.  By  default,  CIDNE  is  read  only.  A  user  must  apply 
for  permission  to  be  granted  the  ability  to  create  reports  on  CIDNE. 

10.  CIDNE  currently  uses  12  Centrix  servers  and  9  SIPRNET  servers.  During  2009-10,  CIDNE 
used  additional  servers.  Each  server  costs  approximately  $48,000.  Servers  hosting  CIDNE-Iraq 
were  hosted  in  Iraq.  CIDNE-Afghanistan  servers  were  and  are  located  in  Afghanistan.  Some 
servers  were  and  are  located  in  Tampa,  Florida.  In  2007,  the  program  spent  approximately 
$720,000  on  hardware  in  Iraq.  In  2008,  the  program  spent  $560,000  on  hardware  in  Afghanistan 
and  $190,000  on  hardware  in  Iraq.  In  2009,  the  program  spent  approximately  $1,660,000  on 
hardware  in  Afghanistan  and  $520,000  on  hardware  in  Iraq.  In  2010,  the  program  spent 
$760,000  on  hardware  in  Afghanistan.  In  201 1,  the  program  approximately  spent  $180,000  on 
hardware  in  Afghanistan.  In  2012,  the  program  spent  approximately  $3,680,000  on  hardware  in 
Afghanistan. 

1 1 .  Before  units  deploy,  they  receive  training.  As  PM,  I  am  responsible  for  ensuring  the  proper 
resources  are  in  place  to  support  the  various  training  courses  offered  for  CIDNE.  The  courses 
range  from  1  day  to  2  weeks.  In  addition,  there  is  a  three  week  advanced  course.  Also,  units 
conducting  exercises  utilize  CIDNE  as  part  of  that  training,  and  the  program  supports  the  needs 
of  the  units.  In  2005,  the  program  spent  approximately  $1,100,000  for  Iraq  training.  In  2006, 
the  program  spent  approximately  $1,180,000  for  Iraq  training  and  $480,000  for  CONUS  training. 
In  2007,  the  program  spent  approximately  $2,570,000  for  Iraq  training  and  $200,000  for  CONUS 
training.  In  2008,  the  program  spent  approximately  $1,850,000  for  Afghanistan  training, 
$5,220,000  for  Iraq  training,  and  $1,550,000  for  CONUS  training.  In  2009,  the  program  spent 


3 


O 


O 


approximately  $5,360,000  for  Afghanistan  training,  $6,370,000  for  Iraq  training,  and  $3,660,000 
for  CONUS  training.  In  2010,  the  program  spent  approximately  $8,140,000.00  for  Afghanistan 
training,  $5,1 50,000  for  Iraq  training,  and  $3,320,000  for  CONUS  training.  In  2011,  the 
program  spent  approximately  $18,410,000  for  Afghanistan  training,  $2,650,000  for  Iraq  training, 
and  $6,150,000  for  CONUS  training.  In  2012,  the  program  spent  approximately  $8,790,000  for 
Afghanistan  training  and  $2,740,000  for  CONUS  training. 

12.  I  cannot  attribute  a  specific  amount  of  the  costs  for  data  management,  development  and 
testing,  hardware,  and  training  to  any  specific  report.  None  of  these  costs  include  operational 
unit  costs. 

13.  From  2005  through  2012,  the  CIDNE  program  spent  approximately  $181,160,000  on 
contracted  support  required  to  run  the  program,  to  include  development,  training,  data 
management,  and  hardware.  In  addition,  from  2005  through  2012,  the  program  spent 
approximately  $5,434,800.00  on  program  management  support,  to  include  government  testing, 
administrative  oversight,  and  research  and  development.  These  costs  support  the  development 
and  maintenance  of  CIDNE,  which  is  an  information  system.  The  hardware,  to  include  the 
servers,  involves  significant  costs.  Over  25  individuals  work  primarily  to  ensure  CIDNE 
functions  correctly,  and  their  salaries  are  primarily  derived  from  their  work  on  CIDNE.  The 
system  has  been  designed  and  developed  to  provide  robust  features  to  provide  classified 
information  to  commanders  in  combat  environments.  The  information  is  valuable  because  the 
system  accumulates  different  types  of  information  in  one  place  for  authorized  officials  to  access 
and  review.  The  United  States  government  has  dedicated  significant  resources — over 
$185,000,000 — to  CIDNE  because  the  information  has  significant  value  to  commanders.  Year 
to  year  increases  in  spending  can  be  attributable  to  increased  troop  presence  in  a  given  nation. 
CIDNE  has  been  designed  to  aid  commanders  in  making  operational  decisions,  and  safety  of 
operations  decisions  in  particular,  based  on  CIDNE  data. 

14.  At  no  time  was  the  SIGACT  information  charged  in  this  case  unavailable  for  access  on  the 
CIDNE  database.  Those  that  accessed  the  SIGACT  database  before  May  of  2010  did  so  in  the 
same  manner  after  May  of  2010.  We  continue  to  use  the  SIGACTs  charged  in  this  case  in  the 
CIDNE  database.  To  the  best  of  my  knowledge,  the  United  States  Government  has  never  made 
these  databases  publically  available. 


ALEXANDER  VON  ELTEN 
CPT,  JA 

Assistant  Trial  Counsel 


MAJ,  JA 

Military  Defense  Counsel 


PFC,  USA 
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UNITED  STATES  OF  AMERICA 


) 

) 

) 

) 

) 

) 

) 

) 

) 


v. 


STIPULATION  OF 
EXPECTED  TESTIMONY 


Manning,  Bradley  E. 

PFC,  U.S.  Army, 

HHC,  U.S.  Army  Garrison, 

Joint  Base  Myer-Henderson  Hall 
Fort  Myer,  Virginia  22211 


Mr.  Patrick  Hoeffel 


1<P  June  2013 


It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  Mr. 
Patrick  Hoeffel  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this  court- 
martial,  he  would  testify  substantially  as  follows. 

1.  I  am  a  software  engineer  at  Intelligent  Software  Solutions,  Inc.,  Colorado  Springs,  Colorado. 

I  design  and  write  software  systems,  such  as  the  Combined  Information  Data  Network  Exchange 
(CIDNE)  database,  and  manage  eight  other  individuals  who  also  write  software  code  for  CIDNE. 
In  1989, 1  earned  my  Bachelor  of  Science  degree  in  Computer  Science  from  Catholic  University 
in  Washington,  DC.  During  the  time  I  was  attending  school,  I  worked  from  1987  to  1989  in  the 
school  computer  lab  as  student  help  desk  support.  Also,  in  1989, 1  worked  for  a  rent  control 
apartment  management  company  writing  software.  From  1989  to  1997, 1  worked  in  Columbus, 
Ohio,  as  a  software  engineer  for  a  company  called  CompuServe,  which  was  bought  by  America 
Online  (AOL).  From  1997  to  1998, 1  additionally  worked  as  a  consultant  for  Compuware, 
contracted  to  MCI,  which  is  now  Verizon. 

2.  In  2000, 1  received  80  hours  of  course  instruction  on  the  Design  and  Maintenance  of 
Structured  Query  Language  (SQL)  Server  Databases  and  Systems.  This  instruction  provided 
foundational  knowledge  for  my  work  as  a  software  and  database  engineer.  From  1998  to  1999, 1 
worked  at  software  start-up  company  called  TribalVoice.  At  TribalVoice,  I  was  a  software 
engineer. 

3.  From  1999  to  2006, 1  worked  at  a  software  startup  company  called  ConfigureSoft,  in 
Colorado  Springs,  Colorado.  I  worked  at  ConfigureSoft  as  a  software  engineer  with  an  emphasis 
on  the  design  of  database  systems.  I  also  designed  databases  and  software  systems  to  be  used  by 
systems  administrators.  As  a  database  and  software  designer,  I  became  familiar  with  systems 
administration. 

4.  I  have  worked  at  Intelligent  Software  Solutions,  Inc.  since  September  2006.  During  my  time 
at  Intelligent  Software  Solutions,  I  have  spent  two  years  as  the  lead  CIDNE  engineer  in  theater 
and  at  corporate  headquarters.  I  have  been  responsible  for  the  management  of  day-to-day 
CIDNE  engineering  operations.  I  have  managed  approximately  20  individuals  that  range  from 
software  engineers,  to  database  engineers,  testers,  and  system  administrators. 

5.  I  have  no  military  experience,  but  I  have  deployed  as  a  contractor  with  Intelligent  Software 
Solutions,  Inc.  I  deployed  to  Victory  Base  Complex  (VBC),  Iraq  from  September  2007  to 
December  2007  as  a  software  engineer  working  on  the  CIDNE  database.  I  deployed  again  from 
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May  2009  to  September  2009  to  the  VBC,  Iraq,  working  as  a  software  engineer  on  the  CIDNE 
database.  From  May  2010  to  August  2010, 1  deployed  to  Kabul,  Afghanistan  as  a  theater 
technical  lead  working  on  the  CIDNE  database.  I  last  deployed  from  May  2011  to  September 
2011  to  Kabul,  Afghanistan  as  a  theater  technical  lead  working  on  the  CIDNE  database.  I  have 
over  25  years  of  computer  science  expertise  developed  through  courses  and  experience. 

6.  I  am  familiar  with  the  CIDNE  software  and  the  database  in  particular  because  I  developed  the 
database.  CIDNE  is  a  centralized  database  that  stores  information  about  events,  people, 
organizations,  and  facilities,  and  makes  that  information  available  to  users  throughout  Iraq, 
Afghanistan,  and  the  United  States.  There  are  different  CIDNE  databases  for  Iraq  and 
Afghanistan.  The  Iraq  server  at  United  States  Central  Command  (USCENTCOM)  Headquarters 
(HQ)  is  physically  distinct  from  the  Afghanistan  server.  The  two  do  not  share  data  with  each 
other.  The  Iraq  data  is  stored  in  a  series  of  servers  that  are  positioned  at  various  locations  in  Iraq, 
with  all  data  being  constantly  copied  back  to  a  CIDNE-Iraq  server  at  USCENTCOM  HQ  in 
Tampa,  Florida,  for  use  by  interested  entities.  All  data  is  the  same  across  all  Iraq  servers. 
Afghanistan  data  is  stored  in  a  series  of  servers  that  are  positioned  at  various  locations  in 
Afghanistan,  with  all  data  copied  back  to  a  CIDNE-Afghanistan  server  in  Tampa.  This  setup 
was  created  to  make  data  available  as  broadly  as  possible. 

7.  CIDNE  can  be  accessed  through  one  of  the  seven  different  classified  networks,  including 
SIPRNET  and  JWICS.  CIDNE  is  only  available  on  classified  networks.  CIDNE  data  is 
accessed  using  a  CIDNE  web  site.  To  see  Afghanistan  data,  one  must  open  a  CIDNE-A  web 
page  on  a  CIDNE-Afghanistan  server.  Likewise,  Iraq  data  must  be  accessed  via  a  CIDNE-I 
server  through  a  CIDNE-I  web  site.  During  the  2009-2010  timeframe  one  could  access  a 
database  by  logging  in  as  self-registered  or  as  a  guest  user  to  browse.  As  of  today,  capabilities 
were  developed  to  see  who  views  data  and  an  enhanced  log-in  system  was  designed  for  access  to 
the  CIDNE  database.  One  can  no  longer  browse  the  database  without  logging  in  as  a  self- 
registered  user.  Prior  to  the  recent  log-in  requirements,  the  CIDNE  databases  did  not  track 
individual  users’  access  by  IP  address  or  otherwise. 

8.  CIDNE  reports  are  individual  reports  of  specific  unit  actions.  CIDNE  is  the  USCENTCOM 
directed  reporting  tool  for  the  majority  of  operational  reporting  in  Iraq  and  Afghanistan.  It  is  a 
structured  collection  of  data  with  over  100  different  types  of  reports,  including  Significant 
Activity  reports  (SIGACTs).  SIGACTs  are  only  one  report  type  in  CIDNE,  but  it  is  one  of  the 
most  frequently  used  type  of  report  along  with  Human  Intelligence  (HUMINT)  and  Counter-IED 
(C-IED)  reports.  SIGACTs  are  often  used  because  of  their  content.  SIGACTs  are  summaries  of 
actual  events  created  at  the  time  of  those  events.  The  reports  state  the  who,  what,  when,  and 
where  of  events  encountered  by  the  unit. 

9.  A  user  can  create  a  report  only  if  the  user’s  unit  administrator  grants  the  authority  to  populate 
reports  on  the  system.  Any  user  with  access  to  CIDNE  on  a  classified  network  could  browse  the 
information.  During  the  2009-2010  timeframe,  the  CIDNE  database  did  not  record  who  looked 
at  the  data.  Instead,  CIDNE  only  recorded  who  was  creating  reports  and  what  types  of  reports 
were  being  created.  As  the  theater  technical  lead  in  Afghanistan,  I  frequently  worked  with  users 
who  created  reports  and  the  types  of  reports  the  users  created.  CIDNE  requires  reports  have 
certain  fields  completed.  The  database  will  not  accept  a  report  unless  the  required  fields  are 
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completed.  Classification  is  a  mandatory  field  with  unclassified,  confidential,  and  secret  as  the 
options.  Thus,  all  reports,  including  all  SIGACTs,  are  marked  with  a  classification.  Once  a 
report  is  entered  into  CIDNE,  the  database  assigns  a  unique  value  called  a  “report  key”  that  is 
used  by  the  database  to  identify  individual  reports  and  allows  the  user  to  quickly  query  the 
database. 

10.  In  August  2010, 1  was  tasked  to  participate  in  the  Information  Review  Task  Force  (IRTF)  at 
the  Defense  Intelligence  Agency  (DIA)  based  on  my  CIDNE  expertise.  My  original  task  was  to 
verify  and  confirm  that  the  compromised  data  came  from  the  CIDNE-A  database,  and  later  I  also 
was  tasked  to  review  the  CIDNE-I  database.  As  a  part  of  the  IRTF,  I  identified  the  source  of  the 
compromised  data,  the  time  frame  in  which  the  data  was  taken  based  on  examination  of  the 
released  data,  and  data  in  the  source  database.  Using  computer  software,  I  compared  the 
compromised  CIDNE-A  report  keys  to  the  report  keys  in  the  original  database.  Based  on  my 
comparison,  I  concluded  the  hundreds  of  thousands  of  compromised  report  keys  and  the  original 
report  keys  on  the  CIDNE-A  database  were  identical.  I  spent  about  two  weeks  on  the  IRTF 
initially.  I  returned  to  the  IRTF  in  November  2010  after  the  CIDNE-I  database  was  released.  I 
repeated  the  comparison  procedures  for  CIDNE-I.  Using  computer  software,  I  compared  the 
compromised  CIDNE-I  report  keys  to  the  original  report  keys  in  the  database.  Based  on  my 
comparison,  I  concluded  the  tens  of  thousands  of  compromised  report  keys  and  the  original 
report  keys  on  the  CIDNE-I  database  were  identical. 

1 1 .  At  the  bottom  of  the  CIDNE  database  search  query  results  screen,  CIDNE  allows  a  user  to 
export  SIGACTS  into  a  “.csv”  format.  CIDNE  only  exports  one  month  at  a  time.  This  export 
function  is  available  for  users  to  download  specific  information  in  order  to  use  the  information 
with  other  programs  or  systems.  During  my  investigation,  I  determined  that  the  last  of  the 
compromised  CIDNE-A  data  was  pulled  from  the  CIDNE-A  System  in  the  57  seconds  between 
1 1 :5 1 :30Z  and  1 1 :52:27Z  (Zulu  time).  Afghanistan  servers  are  all  set  to  Zulu  time,  and  thus  the 
reported  dates  are  all  in  Zulu  time.  The  compromised  data  from  CIDNE-A  was  pulled  before  7 
Jan  2010  1 1 :52:27Z  because  that  is  the  date  and  time  of  the  first  update  made  to  a  report  where 
the  update  did  not  appear  in  the  compromised  data.  The  compromised  data  was  pulled  from  the 
CIDNE-A  system  after  7  Jan  2010  1 1 :5 1 :30Z  because  that  is  the  date  and  time  of  the  last  update 
made  to  a  report  where  the  update  appeared  in  the  compromised  data.  Every  modification  prior 
to  that  time  appears  in  the  compromised  data. 

12.  The  compromised  Iraq  data  was  pulled  from  the  CIDNE-I  system  in  the  14  minutes  and  51 
seconds  between  04:39:13C  and  04:54:04C  (Iraq  time).  Iraq  servers  are  set  to  local  time  and 
record  their  dates  in  local  time,  which  is  Zulu+3  on  3  Jan  2010.  The  compromised  data  from 
CIDNE-I  was  pulled  before  3  Jan  2010  04:54:04C.  The  first  data  modification  that  does  not 
appear  in  the  compromised  data  occurred  at  3  Jan  2010  04:54:04C.  Every  modification  prior  to 
that  time  appears  in  the  compromised  data,  while  all  modifications  at  this  point  and  following  do 
not  appear  in  the  compromised  data.  The  compromised  data  from  CIDNE-I  had  to  have  been 
pulled  after  3  Jan  2010  04:39: 13C.  The  last  modification  to  appear  in  the  compromised  data 
occurred  at  3  Jan  2010  04:39: 13C.  Every  modification  including  and  prior  to  that  time  appears  in 
the  compromised  data. 


3 


G 


Q 


13.  At  no  time  was  the  S1GACT  information  charged  in  this  case  unavailable  for  access  on  the 
CIDNE  database.  Those  that  accessed  the  SIGACT  database  before  May  of  2010  did  so  in  the 
same  manner  after  May  of  2010.  We  continue  to  use  the  SIGACTs  charged  in  this  case  in  the 
CIDNE  database.  To  the  best  of  my  knowledge,  the  United  States  Government  has  never  made 
these  databases  publicly  available 


ALEXANDER  VON  ELTEN 
CPT,  JA 

Assistant  Trial  Counsel 


MAJ,  JA 

Military  Defense  Counsel 


PFC,  USA 
Accused 
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UNITED  STATES  OF  AMERICA 
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v. 


STIPULATION  OF 
EXPECTED  TESTIMONY 


Manning,  Bradley  E. 

PFC,  U.S.  Army, 

HHC,  U.S.  Army  Garrison, 

Joint  Base  Myer-Henderson  Hall 
Fort  Myer,  Virginia  22211 


CW5  John  Larue 


10  June  2013 


It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and  Trial  Counsel,  that  if  CW5 
John  Larue  were  present  to  testify  during  the  merits  and  pre-sentencing  phases  of  this  court- 
martial,  he  would  testify  substantially  as  follows. 

1 .  I  am  currently  assigned  to  the  Pentagon.  I  have  22  years  of  experience  flying  helicopters  for 
the  United  States  Army.  I  have  been  a  pilot  since  1984.  I  entered  active  duty  in  1990.  From 
1990  until  1  January  201 1, 1  was  an  Apache  helicopter  pilot.  After  1  January  201 1, 1  became  a 
general  aviation  officer  in  light  of  my  promotion  to  CW5. 

2.  In  1991, 1  was  a  Cobra  pilot.  In  1993, 1  qualified  to  fly  the  Apache  AH-64  A  (AH-64A).  In 
1998, 1  qualified  as  an  instructor  pilot  on  the  AH-64A.  I  have  flown  the  AH-64A  in  combat  in 
Bosnia.  In  2000, 1  qualified  to  fly  the  AH-64D.  Later  in  2000, 1  qualified  as  an  instructor  pilot 
on  the  AH-64D.  I  deployed  to  Kuwait  in  2002  as  part  of  Operation  Desert  Spring.  I  deployed  to 
Iraq  in  2003,  and  I  flew  in  combat  as  an  AH-64D  pilot  in  Operation  Iraqi  Freedom.  I  deployed 
to  Afghanistan  in  2008  and  flew  combat  missions  during  that  deployment.  In  sum,  I  have 
approximately  3000  hours  of  flight  time  and  approximately  200  hours  of  combat  flight  time. 

3.  From  2004-2008, 1  worked  at  Army  Tactics  Development  at  Fort  Rucker.  In  this  position,  I 
developed  combat  tactics.  In  particular,  I  developed  tactics  driven  by  equipment,  especially 
survivability  equipment.  At  Army  Tactics  Development,  I  field  tested  equipment,  verified  the 
results,  and  developed  tactics,  techniques,  and  procedures  (TTPs)  in  accordance  with  the  test 
results. 

4.  From  2008-2009, 1  was  the  tactical  operations  officer  for  the  brigade  aviation  element  of  the 
3rd  Brigade  Combat  Team  of  1ID.  As  the  tactical  operations  officer,  I  managed  all  attack  and 
reconnaissance  aircraft  in  eastern  Afghanistan. 

5.  Since  2009, 1  have  been  stationed  at  the  Pentagon  and  worked  at  Department  of  the  Army 
Military  Operations- Aviation  (DAMO-AV).  At  DAMO-AV,  I  work  in  the  G-3/5/7,  which 
manages  Army  aviation.  I  am  the  aircraft  survivability  equipment  action  officer  at  DAMO-AV. 

6.  The  AH-64D  is  an  upgraded  version  of  the  AH-64A.  The  AH-64D  uses  digital  displays 
whereas  the  AH-64A  relies  on  analog  displays. 

7.  I  am  familiar  with  the  video  file  named  “12  JUL  07  CZ  ENGAGEMENT  ZONE  30  GC 
Anyone.avi”  (Apache  video)  because  I  reviewed  the  video.  I  reviewed  the  Apache  video  for 
sensitive  information,  to  include  systems  capabilities  and  communications.  I  relied  on  my 
experience  as  a  pilot,  instructor  pilot,  and  as  an  offic 
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defensive  technologies.  I  also  relied  on  the  Noble  Eagle  classification  guide,  which  set 
classification  standards  for  all  helicopter  videos  in  OPERATION  ENDURING  FREEDOM  and 
then  later  in  OPERATION  IRAQI  FREEDOM.  Finally,  I  considered  the  security  classification 
guide  for  the  Apache  helicopter  itself.  I  did  not  consider  any  open  source  reporting  on  this 
particular  incident.  I  also  did  not  consider  the  fact  that  I  have  seen  similar  videos  with  the 
sensitive  information  visible  on  the  internet.  This  video  is  Prosecution  Exhibit  15  for 
Identification. 

8.  The  Apache  video  shows  the  display  of  an  AH-64D.  I  know  the  display  is  of  an  AH-64D 
because  it  is  digital,  and  I  have  extensive  experience  using  the  AH-64D  digital  display.  The 
Apache  video  shows  the  high-action  display.  The  high  action  display  shows  the  use  of  a  laser  for 
ranging,  altitude  and  air  speed.  The  laser  also  shows  angles  of  engagement.  The  ranges  and 
attack  approaches  are  TTPs.  Based  on  my  experience  and  training,  TTPs  are  sensitive  Army 
aviation  information.  Adversarial  forces  who  know  TTPs  could  be  able  to  anticipate  United 
States  operations  and  the  adversarial  forces  will  be  able  to  plan  more  effective  attacks  as  a  result. 
The  high  action  display  also  shows  the  heading  tape,  which  reveals  the  sensor  and  the  sensor’s 
acquisition  of  targets  and  other  information.  This  display  of  the  sensor  in  action  could  be  used  to 
determine  the  limitations  of  the  sensor’s  capabilities.  Based  on  my  experience  and  training,  the 
sensor’s  capabilities  are  sensitive  Army  aviation  information.  The  sensor  also  reveals  the 
position  of  the  helicopter  during  an  operation,  which  could  be  used  to  determine  more  aspects  of 
TTPs.  TTPs  are  a  puzzle,  and  revealing  any  piece  could  make  solving  the  puzzle  easier  for  an 
adversary. 

9.  Videos  of  Army  helicopter  combat  missions  are  recorded  regularly  for  training  and  reviewed 
for  effectiveness.  As  a  helicopter  pilot,  I  have  been  taught  not  to  release  the  videos  to  the  public 
nor  to  reveal  the  sensitive  information  contained  therein.  As  a  helicopter  instructor  pilot,  I  have 
instructed  students  not  to  release  the  video  nor  to  reveal  the  sensitive  information  contained 
therein. 

1 0.  Helicopter  units  have  procedures  for  protecting  the  videos  and  the  information  the  videos 
contain.  In  my  experience  under  the  procedures  employed  by  the  units,  all  videos  requiring 
review  are  turned  into  flight  operations  by  pilots  or  support  personnel.  The  videos  are  reviewed 
and  used  again  as  needed.  Thus,  the  information  may  be  recorded  over  but  it  is  not  physically 
released.  If  a  video  contains  information  that  requires  being  saved,  the  video  is  ported  over  to  a 
system  on  the  SIPRNET.  After  the  information  is  secured  on  the  SIPRNET,  the  tape  may  be 
recorded  over  again.  In  my  experience,  videos  that  are  physically  released  are  sanitized  for  the 
types  of  information  described  in  paragraph  8  of  this  stipulation  before  the  video  is  publicly 
released.  The  actual  video  footage  is  not  classified.  Coupling  the  video  footage  with  thejiata 
makes  the  information  sensitive. 


ALEXANDER  VON  ELTEN  THOMAS  F.  HURLEY^ 

CPT,  JA  MAJ,  JA 

Assistant  Trial  Counsel  Military  Defense  Counsel 


BRADLEY  E.  MANNING 

PFC,  USA 

Accused 
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Prosecution  Exhibit  118a 
2  pages 
classified 
"SECRET” 

ordered  sealed  for  Reason  2 
Military  Judge’s  Seal  Order 
dated  20  August  2013 
stored  in  the  classified 
supplement  to  the  original 
Record  of  Trial 


INSTRUCTIONS  FOR  PREPARING  AND  ARRANGING  RECORD  OF  TRIAL 


USE  OF  FORM  -  Use  this  form  and  MCM,  1984, 
Appendix  14,  will  be  used  by  the  trial  counsel  and 
the  reporter  as  a  guide  to  the  preparation  of  the 
record  of  trial  in  general  and  special  court-martial 
cases  in  which  a  verbatim  record  is  prepared.  Air 
Force  uses  this  form  and  departmental 
instructions  as  a  guide  to  the  preparation  of  the 
record  of  trial  in  general  and  special  court-martial 
cases  in  which  a  summarized  record  is  authorized. 
Army  and  Navy  use  DD  Form  491  for  records  of 
trial  in  general  and  special  court-martial  cases  in 
which  a  summarized  record  is  authorized. 
Inapplicable  words  of  the  printed  text  will  be 
deleted. 

COPIES  -  See  MCM,  1984,  RCM  1103(g).  The 
convening  authority  may  direct  the  preparation  of 
additional  copies. 

ARRANGEMENT  -  When  forwarded  to  the 
appropriate  Judge  Advocate  General  or  for  judge 
advocate  review  pursuant  to  Article  64(a),  the 
record  will  be  arranged  and  bound  with  allied 
papers  in  the  sequence  indicated  below.  Trial 
counsel  is  responsible  for  arranging  the  record  as 
indicated,  except  that  items  6,  7,  and  15e  will  be 
inserted  by  the  convening  or  reviewing  authority, 
as  appropriate,  and  items  10  and  14  will  be 
inserted  by  either  trial  counsel  or  the  convening  or 
reviewing  authority,  whichever  has  custody  of 
them. 

1 .  Front  cover  and  inside  front  cover  (chronology 
sheet)  of  DD  Form  490. 

2.  Judge  advocate’s  review  pursuant  to  Article 
64(a),  if  any. 

3.  Request  of  accused  for  appellate  defense 
counsel,  or  waiver/withdrawal  of  appellate  rights, 
if  applicable. 

4.  Briefs  of  counsel  submitted  after  trial,  if  any 
(Article  38(c)). 

5.  DD  Form  494,  "Court-Martial  Data  Sheet.” 

6.  Court-martial  orders  promulgating  the  result  of 
trial  as  to  each  accused,  in  10  copies  when  the 
record  is  verbatim  and  in  4  copies  when  it  is 
summarized. 

7.  When  required,  signed  recommendation  of 
staff  judge  advocate  or  legal  officer,  in  duplicate, 
together  with  all  clemency  papers,  including 
clemency  recommendations  by  court  members. 


8.  Matters  submitted  by  the  accused  pursuant  to 
Article  60  (MCM,  1984,  RCM  1105). 

9.  DD  Form  458,  "Charge  Sheet"  (unless  included 
at  the  point  of  arraignment  in  the  record). 

10.  Congressional  inquiries  and  replies,  if  any. 

11.  DD  Form  457,  "Investigating  Officer's  Report," 
pursuant  to  Article  32,  if  such  investigation  was 
conducted,  followed  by  any  other  papers  which 
accompanied  the  charges  when  referred  for  trial, 
unless  included  in  the  record  of  trial  proper. 

12.  Advice  of  staff  judge  advocate  or  legal  officer, 
when  prepared  pursuant  to  Article  34  or  otherwise. 

13.  Requests  by  counsel  and  action  of  the 
convening  authority  taken  thereon  (e.g.,  requests 
concerning  delay,  witnesses  and  depositions). 

14.  Records  of  former  trials. 

1 5.  Record  of  trial  in  the  following  order: 

a.  Errata  sheet,  if  any. 

b.  Index  sheet  with  reverse  side  containing 
receipt  of  accused  or  defense  counsel  for  copy  of 
record  or  certificate  in  lieu  of  receipt. 

c.  Record  of  proceedings  in  court,  including 
Article  39(a)  sessions,  if  any. 

d.  Authentication  sheet,  followed  by  certificate 
of  correction,  if  any. 

e.  Action  of  convening  authority  and,  if  appro¬ 
priate,  action  of  officer  exercising  general  court- 
martial  jurisdiction. 

f.  Exhibits  admitted  in  evidence. 

g.  Exhibits  not  received  in  evidence.  The  page 
of  the  record  of  trial  where  each  exhibit  was 
offered  and  rejected  will  be  noted  on  the  front  of 
each  exhibit. 

h.  Appellate  exhibits,  such  as  proposed  in¬ 
structions,  written  offers  of  proof  or  preliminary 
evidence  (real  or  documentary),  and  briefs  of 
counsel  submitted  at  trial. 
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